Quantcast

EGroupware 1.6.003 security and bugfix release

classic Classic list List threaded Threaded
3 messages Options
Ralf Becker Stylite AG Ralf Becker Stylite AG
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

EGroupware 1.6.003 security and bugfix release

The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:

    * one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
    * the other a reflected cross-site scripting (XSS).
    * both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware's SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:

    * implements SyncML 1.2 support and many SyncML fixes
    * lots of bugs fixed since the release of 1.6.002
    * for more information about bugfixes, see our changelog:
      http://www.egroupware.org/changelog

All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf
--
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon  +49 (0) 6352 70629-0
fax  +49 (0) 6352 70629-30
mailto: [hidden email]

www.stylite.de
www.egroupware.org
________________________________________________

Geschäftsführer Andre Keller,
        Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
eGroupWare-announcement mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/egroupware-announcement
Ralf Becker Stylite AG Ralf Becker Stylite AG
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Update: EGroupware 1.6.003 security and bugfix release

With 1.6.003 some annoying bugs slipped through, which we now fixed with
updated 1.6.003-2 packages.

Please note:

* SyncML application now needs to be enabled for a user or group like
all other applications. Otherwise all SyncML access will fail!

* you always need to install at least *two* packages: eGroupware and
eGroupware-egw-pear (this is for license reasons and was always that way)

* updated RPM packages use version 1.6.003-15.1 (not 1.6.003-2)!

* *NEW* repository for Debian or Ubuntu is available now, see
www.egroupware.org/download for details

All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

==> We recommend everyone updates to 1.6.003-2

Ralf

Ralf Becker schrieb:

> The new release fixes 2 serious security problems, many bugs and
> implements SyncML 1.2
>
> Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
> problems in EGroupware:
>
>     * one is a serious remote command execution (allowing to run
> arbitrary command on the web server by simply issuing a HTTP request!).
>     * the other a reflected cross-site scripting (XSS).
>     * both require NO valid EGroupware account and work without being
> logged in!
>
> Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
> and the commercial EPL versions 9.1+9.2!
>
> The problem is fixed in EGroupware's SVN (for 1.4, 1.6 and trunk) and
> there will be a coordinated release of a new EGroupware version 1.6.003
> by Stylite GmbH / EGroupware project and publication of the exploits by
> CYBSEC S.A. on March 9th.
>
> ==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!
>
> The security fixes are also included in the commercial EGroupware
> version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.
>
> 1.6.003 does much more then fixing the above security problems:
>
>     * implements SyncML 1.2 support and many SyncML fixes
>     * lots of bugs fixed since the release of 1.6.002
>     * for more information about bugfixes, see our changelog:
>       http://www.egroupware.org/changelog
>
> All package types are available via our download page:
> http://www.egroupware.org/download
>
> Update instructions are available via the setup manual pages:
> http://www.egroupware.org/wiki/ManualSetupUpdate
>
> Ralf

--
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon  +49 (0) 6352 70629-0
fax  +49 (0) 6352 70629-30
mailto: [hidden email]

www.stylite.de
www.egroupware.org
________________________________________________

Geschäftsführer Andre Keller,
        Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
eGroupWare-announcement mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/egroupware-announcement
proximity 3 proximity 3
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: EGroupware 1.6.003 security and bugfix release

This post has NOT been accepted by the mailing list yet.
In reply to this post by Ralf Becker Stylite AG
Synopsis
========

The eGroupWare software contains multiple cross site scripting
vulnerabilities.

Background
==========

eGroupWare is a suite of web-based group applications including
calendar, address book, messenger and email.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /    Vulnerable    /              Unaffected
    -------------------------------------------------------------------
  1  www-apps/egroupware      <= 1.0.00.003              >= 1.0.00.004

Description
===========

Joxean Koret recently discovered multiple cross site scripting
vulnerabilities in various modules for the eGroupWare suite. This
includes the calendar, address book, messenger and ticket modules.

Impact
======

These vulnerabilities give an attacker the ability to inject and
execute malicious script code, potentially compromising the victim's
browser.

_________________________________________________________________

[url=http://www.panamastays.com/Panama-Apartamentos] apartamentos amueblados panama[/url]
Loading...