Articles / Debian: New phpgroupware pa...

Debian: New phpgroupware packages fix several vulnerabilities

Several remote vulnerabilities have been discovered in phpgroupware, a Web based groupware system written in PHP. An SQL injection vulnerability was found in the authentication module. Multiple directory traversal vulnerabilities were found in the addressbook module. The authentication module is affected by cross-site scripting. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1978-1                  security@debian.org
http://www.debian.org/security/                       Moritz Muehlenhoff
January 26, 2010                      http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : phpgroupware
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2009-4414 CVE-2009-4415 CVE-2009-4416

Several remote vulnerabilities have been discovered in phpgroupware, a
Web based groupware system written in PHP. The Common Vulnerabilities 
and Exposures project identifies the following problems:

CVE-2009-4414

   An SQL injection vulnerability was found in the authentication
   module.

CVE-2009-4415

   Multiple directory traversal vulnerabilities were found in the
   addressbook module.

CVE-2009-4416

   The authentication module is affected by cross-site scripting.


For the stable distribution (lenny) these problems have been fixed in
version 0.9.16.012+dfsg-8+lenny1.

For the unstable distribution (sid) these problems have been fixed in
version 0.9.16.012+dfsg-9.

We recommend that you upgrade your phpgroupware packages.

Upgrade instructions
- --------------------

wget url
       will fetch the file for you
dpkg -i file.deb
       will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
       will update the internal database
apt-get upgrade
       will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg.orig.tar.gz
   Size/MD5 checksum: 19383160 bbfcfa12aca69b4032d7b4d38aeba85f
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1.diff.gz
   Size/MD5 checksum:    70541 fc805ae50cd52606578ed95e8a5bde96
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1.dsc
   Size/MD5 checksum:     1662 0507c4e0a6be1d93a060a7c6222c84c0

Architecture independent packages:

 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-email_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:  1167526 b7d47f4df02c98e3269fd2b8bce094f4
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core-base_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    48252 80a0c4bf563e576fbad0b023fcca2f4b
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-calendar_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:   268338 acdc243f1b2cbcea42a548408232657d
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-addressbook_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:   180662 e0835bac92df72541b52912e80e1e852
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    22380 c12295c8f5f4abdf2f9d8c94ceefe4a1
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-news-admin_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    41572 d21d4ab4ce6adbb23a46a21fd0dd67cb
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-manual_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    93094 dc2bcd999a4a97a0acb8a0a9b156ea03
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-filemanager_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    95206 0faba6d54c83ac610d11a256a12eec67
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:  1522130 c4ff77bb7c80222b04ccdb130f5d2db6
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-preferences_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    60034 b7b86ca86b431dbd7b637506db451196
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    20228 5563f9a3d9b4835b2c89cb1ba571b23f
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:     4546 de306e6062f710d430704297106f192e
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-admin_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:   192062 0427388ce20eb307946c6272856313b7
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-notes_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    33356 700f8d5a2b8fff7b03f464259f912ddb
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-doc_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:   130988 230362e560b03abda388bb0964516d6c
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi-doc_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:  7984748 82aff1fbf1f337ad876dd63be9914102
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-setup_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:   276764 6c743b8fcfbdfa313086264ccee8a7fd
 http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-todo_0.9.16.012+dfsg-8+lenny1_all.deb
   Size/MD5 checksum:    50716 6c7c8523a8e03e94a9211efccb337dd0


 These files will probably be moved into the stable distribution on
 its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAktfVZIACgkQXm3vHE4uylrvOwCdFJvWO6TIq6kMiKuXd6jNIgf9
WzAAn2k180FV5fb0Y4tmkQlJX4OllDBN
=vr1k
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

congruity

A GUI application for programming Logitech Harmony remote controls.

Screenshot

Project Spotlight

OVAL Interpreter

A host-based vulnerability assessment tool that uses OVAL definitions.