Säkerhetsbulletin från Debian
DSA-899-1 egroupware -- programmeringsfel
- Rapporterat den:
- 2005-11-17
- Berörda paket:
- egroupware
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Debians felrapporteringssystem: Fel 301118.
I Mitres CVE-förteckning: CVE-2005-0870, CVE-2005-2600, CVE-2005-3347, CVE-2005-3348. - Ytterligare information:
-
Flera sårbarheter har upptäckts i egroupware, en webbaserad grupprogramvarusvit. Projektet Common Vulnerabilities and Exposures identifierar följande problem:
- CVE-2005-0870
Maksymilian Arciemowicz upptäckte flera serveröverskridande skriptproblem, vilka inte alla rättades av DSA 724.
- CVE-2005-2600
Alexander Heidenreich upptäckte ett serveröverskridande skriptproblem i trädvisningen i forumprogramvaran FUD Forum, vilken även ingår i egroupware, vilket gjorde det möjligt för angripare utifrån att läsa privata brev genom att ändra mid-flaggan.
- CVE-2005-3347
Christopher Kunz upptäckte att lokala variabler skrevs över utan kontroll i phpsysinfo, vilket även ingår i egroupware, och senare betroddes, vilket kunde leda till att godtyckliga filer inkluderades.
- CVE-2005-3348
Christopher Kunz upptäckte att indata från användaren användes utan att städas i phpsysinfo och importerades till egroupware, vilket kunde orsaka ett problem med uppdelning av HTTP-svar.
Den gamla stabila utgåvan (Woody) innehåller inte egroupware-paketet.
För den stabila utgåvan (Sarge) har detta problem rättats i version 1.0.0.007-2.dfsg-2sarge4.
För den instabila utgåvan (Sid) har detta problem rättats i version 1.0.0.009.dfsg-3-3.
Vi rekommenderar att ni uppgraderar era egroupware-paket.
- CVE-2005-0870
- Rättat i:
-
Debian GNU/Linux 3.1 (sarge)
- Källkod:
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge4.dsc
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge4.diff.gz
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg.orig.tar.gz
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge4.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-addressbook_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-bookmarks_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-calendar_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-comic_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-core_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-developer-tools_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-email_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-emailadmin_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-etemplate_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-felamimail_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-filemanager_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-forum_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-ftp_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-fudforum_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-headlines_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-infolog_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-jinn_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-ldap_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-manual_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-messenger_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-news-admin_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-phpbrain_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-phpldapadmin_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-phpsysinfo_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-polls_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-projects_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-registration_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-sitemgr_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-stocks_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-tts_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-wiki_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge4_all.deb
- http://security.debian.org/pool/updates/main/e/egroupware/egroupware-bookmarks_1.0.0.007-2.dfsg-2sarge4_all.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.