thr3ads.net - Secure testing team - [Secure-testing-team] Bug#573279: egroupware: 2 critial security bugs - remotely exploitable

If this information is useful, please help other people find it:
Share via:

Eneko Lacunza

2010-Mar-10 09:33 UTC

[Secure-testing-team] Bug#573279: egroupware: 2 critial security bugs - remotely exploitable - without login

Package: egroupware
Version: 1.6.002+dfsg-1~bpo50+1
Severity: critical
Tags: security
Justification: -1


1.6.003 has been published fixing 2 critical security bugs:
http://www.egroupware.org/Home?category_id=95&item=93

In a debian-standard apache setup, "only" www-data user/group
accesible files and commands are compromised.

Update fixes a load of other non-security bugs and adds some new features too.

Affected versions include all < 1.6.003 .


-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages egroupware depends on:
ii  egroupware-addres 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - addres
ii  egroupware-bookma 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - bookma
ii  egroupware-calend 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - calend
ii  egroupware-core   1.6.002+dfsg-1~bpo50+1 web-based groupware suite - core m
ii  egroupware-develo 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - develo
ii  egroupware-emaila 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - e-mail
ii  egroupware-etempl 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - widget
ii  egroupware-felami 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - e-mail
ii  egroupware-filema 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - file m
ii  egroupware-infolo 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - infolo
ii  egroupware-manual 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - manual
ii  egroupware-news-a 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - news a
ii  egroupware-notifi 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - notifi
ii  egroupware-phpbra 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - phpbra
ii  egroupware-phpsys 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - phpSys
ii  egroupware-polls  1.6.002+dfsg-1~bpo50+1 web-based groupware suite - pollin
ii  egroupware-projec 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - projec
ii  egroupware-regist 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - regist
ii  egroupware-resour 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - resour
ii  egroupware-sambaa 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - Samba 
ii  egroupware-sitemg 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - site m
ii  egroupware-timesh 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - timesh
ii  egroupware-tracke 1.6.002+dfsg-1~bpo50+1 web-based groupware suite - tracke
ii  egroupware-wiki   1.6.002+dfsg-1~bpo50+1 web-based groupware suite - wiki a

egroupware recommends no packages.

egroupware suggests no packages.

-- no debconf information

Secure testing team - Mar 2010 - Bug#573279: egroupware: 2 critial security bugs - remotely exploitable - without login

[Secure-testing-team] Bug#573279: egroupware: 2 critial security bugs - remotely exploitable - without login