-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 419-1 security@debian.org http://www.debian.org/security/ Martin Schulze January 9th, 2003 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : phpgroupware Vulnerability : missing filename sanitising, SQL injection Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0016 CAN-2004-0017 The authors of phpgroupware, a web based groupware system written in PHP, discovered several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2004-0016 In the "calendar" module, "save extension" was not enforced for holiday files. As a result, server-side php scripts may be placed in directories that then could be accessed remotely and cause the webserver to execute those. This was resolved by enforcing the extension ".txt" for holiday files. CAN-2004-0017 Some SQL injection problems (non-escaping of values used in SQL strings) the "calendar" and "infolog" modules. Additionally, the Debian maintainer adjusted the permissions on world writable directories that were accidently created by former postinst during the installation. For the stable distribution (woody) this problem has been fixed in version 0.9.14-0.RC3.2.woody3. For the unstable distribution (sid) this problem has been fixed in version 0.9.14.007-4. We recommend that you upgrade your phpgroupware, phpgroupware-calendar and phpgroupware-infolog packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody3.dsc Size/MD5 checksum: 1648 fe062b1bf8877932bb2470e38d911514 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody3.diff.gz Size/MD5 checksum: 450361 75e7f22c764901a55fdd512c00ad9403 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14.orig.tar.gz Size/MD5 checksum: 8356188 22e715d0884d09aa848d694701a85b6b Architecture independent components: http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-addressbook_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 81236 56a2974de3da55bd5790071ce3e2d878 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-admin_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 143570 9362f1a084d918afd8411ad478463a9c http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api-doc_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 283302 e6d43729c8ca9b200718b90ebfe80b5c http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-api_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 2118350 59d03db385d1bbb59ad3dfb7e57bb8e2 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookkeeping_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 41680 58b563e77f3d22c966fc41f1fc8c87a0 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-bookmarks_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 118658 427879de1ab1ce71efc4661d0a5d1ee9 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-brewer_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 62866 8cde7024b9ad933a5b8516e663c3c2a6 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-calendar_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 227778 dafa81279a94e830061a45dc27aa1561 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chat_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 19354 5db6b3131d3d8a38612a56e00dd5693f http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-chora_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 60394 2f53b3a6515668bc50f6c44b37d84a75 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-comic_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 327606 5e0ed4e69ddab084c54c61a1f1ec1185 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core-doc_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 90754 526677d3294e950846f73f5224872379 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-core_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 19104 b57bb2ffd6924b326d535fe040b93b95 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-developer-tools_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 41528 953bfd91bea52f00705b3fd4f0415ec1 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-dj_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 46096 e1b5108e23bee2e2305cdb031fea4c58 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-eldaptir_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 50910 f742bfd791e4351004cfb8315c4b392a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-email_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 320926 02533f8e4d00569faae3d12104342e9d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-filemanager_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 37878 446001e9d4dad5ed52c0431e6b2f7184 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-forum_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 48984 d9e0460cab85338cec380a03d1d55c48 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-ftp_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 40024 5a4e2d552559efc9c82c3ac19399f8fc http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-headlines_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 59460 97ca00d28d3d08c1963293bc188bf73a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-hr_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 23696 b003552af5ac215ea5698b18975325eb http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-img_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 38914 81f8c2b52ba8d700bb061544432f7b01 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-infolog_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 94250 d5c04f7fd9ef850dcb01760e548dffd7 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-inv_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 93962 4e8ce2091f40a0e7ed4a7e42c5f13556 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-manual_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 87432 0f64fe97a9d86389219079d3daf0183a http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-messenger_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 29808 b4e8141b97df11359349a825a45f5461 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-napster_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 25512 c27b435b115eb5b45574766dabcafb11 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-news-admin_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 31410 b3706db963a475e39d3b1fc736102a22 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-nntp_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 42500 344a15932f0d627ba21c285df1a6279d http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-notes_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 27426 15eb78a12b9a1c8a8fbfc7c78f1064ac http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phonelog_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 21638 999028c0af8d28fb9ea05567afaeacd8 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpsysinfo_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 35616 f45af6b8ce3131c26000918b890e0cbf http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-phpwebhosting_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 62188 e9a60c036da4b519b579e7f29b1f2f92 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-polls_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 29494 e3fc876b3b0cea434e586665f8be3ace http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-preferences_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 46086 84928cb89947883658d0c2251b95a2c5 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-projects_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 91414 b6a52fa388dbc09c0d7ff554cfbf5c56 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-registration_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 35600 bd6f66dd3ce33125f6f0282f6ad7fbef http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-setup_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 278684 ab4dc26916fc11187c0c70da92b48700 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-skel_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 30940 766d5112eefd0ff8c5fdb4ca21435e69 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-soap_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 22656 3a0f2075d13f923b12c28ea864a627ad http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-stocks_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 26770 5a756d5dcb59404af3f3beb16dbcb994 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-todo_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 43872 44f36dc391a31256697788dc64b51316 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-tts_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 46916 879ff4be6ee9b095d75132f92cae68da http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-wap_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 27532 c7ce0209ee04edbccf1adbf4f9afe807 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-weather_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 490010 6a6a85ca7dfa510c4a676f478c84ee67 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-xmlrpc_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 74822 249a47e63d59c1026fd3f02b854b8d32 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.14-0.RC3.2.woody3_all.deb Size/MD5 checksum: 25608 7ca156a941abae77bc8699b860d4f818 These files will probably be moved into the stable distribution on its next revision. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE//mjTW5ql+IAeqTIRArcGAKCoiOTnYdxogjr2t2NDf+lAjzFn8QCgjRdr lzJyiVYY+5hpSntKb6diMpI= =vfhg -----END PGP SIGNATURE-----
