Your message dated Mon, 28 Nov 2005 06:02:20 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#340495: fixed in egroupware 1.0.0.009.dfsg-3-4 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 23 Nov 2005 20:32:57 +0000 >From [EMAIL PROTECTED] Wed Nov 23 12:32:57 2005 Return-path: <[EMAIL PROTECTED]> Received: from tuco.sfritsch.de ([217.160.135.178]) by spohr.debian.org with esmtp (Exim 4.50) id 1Ef1IW-0007kC-0o for [EMAIL PROTECTED]; Wed, 23 Nov 2005 12:32:57 -0800 Received: from ppp-82-135-66-135.mnet-online.de ([82.135.66.135]) by tuco.sfritsch.de with esmtpsa (TLS-1.0:RSA_ARCFOUR_MD5:16) (Exim 4.50) id 1Ef1IM-0006vh-V5 for [EMAIL PROTECTED]; Wed, 23 Nov 2005 21:32:47 +0100 From: Stefan Fritsch <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: CVE-2005-2781: Execution of arbitrary web code Date: Wed, 23 Nov 2005 21:32:44 +0100 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-7.5 required=4.0 tests=BAYES_00,HAS_PACKAGE, RCVD_IN_SORBS autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: egroupware-fudforum Severity: grave Tags: security Justification: user security hole egroupware embeds a shared/forked copy of "fudforum", which was vulnerable to: | The Avatar upload feature in FUD Forum before 2.7.0 does not properly | verify uploaded files, which allows remote attackers to execute arbitrary | PHP code via a file with a .php extension that contains image data | followed by PHP code. (Please see http://secunia.com/advisories/16627/ for details) The vulnerable code is also in egroupware-fudforum. See http://www.mail-archive.com/phpgroupware-cvs@gnu.org/msg21210.html for a fix. Cheers, Stefan --------------------------------------- Received: (at 340495-close) by bugs.debian.org; 28 Nov 2005 14:12:25 +0000 >From [EMAIL PROTECTED] Mon Nov 28 06:12:25 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 4.50) id 1EgjaG-000278-Sz; Mon, 28 Nov 2005 06:02:20 -0800 From: Peter Eisentraut <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.60 $ Subject: Bug#340495: fixed in egroupware 1.0.0.009.dfsg-3-4 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Mon, 28 Nov 2005 06:02:20 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: egroupware Source-Version: 1.0.0.009.dfsg-3-4 We believe that the bug you reported is fixed in the latest version of egroupware, which is due to be installed in the Debian FTP archive: egroupware-addressbook_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-addressbook_1.0.0.009.dfsg-3-4_all.deb egroupware-bookmarks_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-bookmarks_1.0.0.009.dfsg-3-4_all.deb egroupware-calendar_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-calendar_1.0.0.009.dfsg-3-4_all.deb egroupware-comic_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-comic_1.0.0.009.dfsg-3-4_all.deb egroupware-core_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-core_1.0.0.009.dfsg-3-4_all.deb egroupware-developer-tools_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-developer-tools_1.0.0.009.dfsg-3-4_all.deb egroupware-email_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-email_1.0.0.009.dfsg-3-4_all.deb egroupware-emailadmin_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-emailadmin_1.0.0.009.dfsg-3-4_all.deb egroupware-etemplate_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-etemplate_1.0.0.009.dfsg-3-4_all.deb egroupware-felamimail_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-felamimail_1.0.0.009.dfsg-3-4_all.deb egroupware-filemanager_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-filemanager_1.0.0.009.dfsg-3-4_all.deb egroupware-forum_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-forum_1.0.0.009.dfsg-3-4_all.deb egroupware-ftp_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-ftp_1.0.0.009.dfsg-3-4_all.deb egroupware-fudforum_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-fudforum_1.0.0.009.dfsg-3-4_all.deb egroupware-headlines_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-headlines_1.0.0.009.dfsg-3-4_all.deb egroupware-infolog_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-infolog_1.0.0.009.dfsg-3-4_all.deb egroupware-jinn_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-jinn_1.0.0.009.dfsg-3-4_all.deb egroupware-ldap_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-ldap_1.0.0.009.dfsg-3-4_all.deb egroupware-manual_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-manual_1.0.0.009.dfsg-3-4_all.deb egroupware-messenger_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-messenger_1.0.0.009.dfsg-3-4_all.deb egroupware-news-admin_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-news-admin_1.0.0.009.dfsg-3-4_all.deb egroupware-phpbrain_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-phpbrain_1.0.0.009.dfsg-3-4_all.deb egroupware-phpldapadmin_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-phpldapadmin_1.0.0.009.dfsg-3-4_all.deb egroupware-phpsysinfo_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-phpsysinfo_1.0.0.009.dfsg-3-4_all.deb egroupware-polls_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-polls_1.0.0.009.dfsg-3-4_all.deb egroupware-projects_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-projects_1.0.0.009.dfsg-3-4_all.deb egroupware-registration_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-registration_1.0.0.009.dfsg-3-4_all.deb egroupware-sitemgr_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-sitemgr_1.0.0.009.dfsg-3-4_all.deb egroupware-stocks_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-stocks_1.0.0.009.dfsg-3-4_all.deb egroupware-tts_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-tts_1.0.0.009.dfsg-3-4_all.deb egroupware-wiki_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware-wiki_1.0.0.009.dfsg-3-4_all.deb egroupware_1.0.0.009.dfsg-3-4.diff.gz to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-3-4.diff.gz egroupware_1.0.0.009.dfsg-3-4.dsc to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-3-4.dsc egroupware_1.0.0.009.dfsg-3-4_all.deb to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-3-4_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Peter Eisentraut <[EMAIL PROTECTED]> (supplier of updated egroupware package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 28 Nov 2005 14:01:13 +0100 Source: egroupware Binary: egroupware-news-admin egroupware-felamimail egroupware-projects egroupware-polls egroupware-jinn egroupware-calendar egroupware-messenger egroupware egroupware-bookmarks egroupware-wiki egroupware-filemanager egroupware-ldap egroupware-addressbook egroupware-headlines egroupware-tts egroupware-etemplate egroupware-registration egroupware-comic egroupware-emailadmin egroupware-ftp egroupware-developer-tools egroupware-phpldapadmin egroupware-phpsysinfo egroupware-stocks egroupware-manual egroupware-infolog egroupware-core egroupware-email egroupware-fudforum egroupware-sitemgr egroupware-phpbrain egroupware-forum Architecture: source all Version: 1.0.0.009.dfsg-3-4 Distribution: unstable Urgency: high Maintainer: Peter Eisentraut <[EMAIL PROTECTED]> Changed-By: Peter Eisentraut <[EMAIL PROTECTED]> Description: egroupware - web-based groupware suite egroupware-addressbook - eGroupWare addressbook management application egroupware-bookmarks - eGroupWare bookmark management application egroupware-calendar - eGroupWare calendar management application egroupware-comic - eGroupWare comic strip application egroupware-core - eGroupWare core modules egroupware-developer-tools - eGroupWare developer tools egroupware-email - eGroupWare E-mail client application egroupware-emailadmin - eGroupWare E-mail user administration application egroupware-etemplate - widget-based template system for eGroupWare egroupware-felamimail - eGroupWare FeLaMiMail application egroupware-filemanager - eGroupWare file manager application egroupware-forum - eGroupWare forum application egroupware-ftp - eGroupWare FTP application egroupware-fudforum - eGroupWare FUDforum application egroupware-headlines - eGroupWare headlines catcher application egroupware-infolog - eGroupWare infolog application egroupware-jinn - content management system for eGroupWare egroupware-ldap - eGroupware LDAP support files egroupware-manual - eGroupWare manual egroupware-messenger - eGroupWare messenger application egroupware-news-admin - eGroupWare news administration interface egroupware-phpbrain - eGroupWare phpbrain application egroupware-phpldapadmin - eGroupWare phpLDAPadmin application egroupware-phpsysinfo - eGroupWare phpSysInfo application egroupware-polls - eGroupWare polling application egroupware-projects - eGroupWare projects management application egroupware-registration - eGroupWare registration application egroupware-sitemgr - eGroupWare site manager application egroupware-stocks - eGroupWare stock management application egroupware-tts - eGroupWare trouble ticket system application egroupware-wiki - eGroupWare wiki application Closes: 340495 Changes: egroupware (1.0.0.009.dfsg-3-4) unstable; urgency=high . * Fixed fudforum arbitrary code execution security problem (CVE-2005-2781) (closes: #340495) * Fixed watch file to exclude RC versions Files: def4c87af1a2181001e8de8e2c380a90 1275 web optional egroupware_1.0.0.009.dfsg-3-4.dsc cf04ce44a810a9343065694df72b3788 38295 web optional egroupware_1.0.0.009.dfsg-3-4.diff.gz 2a98eaa70a498ecc7820407bbdc5459f 4884 web optional egroupware_1.0.0.009.dfsg-3-4_all.deb c90e1ded9c28a8e7a865a7306f0c709f 3779420 web optional egroupware-core_1.0.0.009.dfsg-3-4_all.deb 366172c441ad49391fde3eeeea854c73 7652 web optional egroupware-ldap_1.0.0.009.dfsg-3-4_all.deb 066e88888efd0154cac42acd4fad9300 149540 web optional egroupware-addressbook_1.0.0.009.dfsg-3-4_all.deb d2332b989df59ddaf989dcfd117b1c04 125602 web optional egroupware-bookmarks_1.0.0.009.dfsg-3-4_all.deb 92eeeacb46cdd15292fb76f2e3cd4d41 383130 web optional egroupware-calendar_1.0.0.009.dfsg-3-4_all.deb 791b46e9df56929198df73db55e6a8ce 256512 web optional egroupware-comic_1.0.0.009.dfsg-3-4_all.deb c9cd46fe633936f62ef6714a63a7e4e2 53902 web optional egroupware-developer-tools_1.0.0.009.dfsg-3-4_all.deb c2ce894fd62d4b582f4d3c963222c7ff 1244238 web optional egroupware-email_1.0.0.009.dfsg-3-4_all.deb acb3c8bc6a73ade12ebefa39410a191f 38626 web optional egroupware-emailadmin_1.0.0.009.dfsg-3-4_all.deb 59f1111569e3acb4d14d5506742ea051 1363712 web optional egroupware-etemplate_1.0.0.009.dfsg-3-4_all.deb 767a2e9132ca105634a47bf2e2bf5bfb 275808 web optional egroupware-felamimail_1.0.0.009.dfsg-3-4_all.deb 5bfcd4eb172c2ea150de49f3a1ece384 173330 web optional egroupware-filemanager_1.0.0.009.dfsg-3-4_all.deb 0406e57840f140dfed6c696ece3b9f26 51800 web optional egroupware-forum_1.0.0.009.dfsg-3-4_all.deb 9cd9ef5e56caca789fa3ad777f554170 38516 web optional egroupware-ftp_1.0.0.009.dfsg-3-4_all.deb fb2e2071573ea687f4b9a752e0519170 1486884 web optional egroupware-fudforum_1.0.0.009.dfsg-3-4_all.deb c0c49f6acf66b5db456bde588e85041e 75396 web optional egroupware-headlines_1.0.0.009.dfsg-3-4_all.deb 82c6b4eea96a00adb72dd828cd405c90 202722 web optional egroupware-infolog_1.0.0.009.dfsg-3-4_all.deb 06a6c94c10ec519b31fd9d212304165d 205478 web optional egroupware-jinn_1.0.0.009.dfsg-3-4_all.deb 331e95823c97a4ffd16f3e93af8e5dbc 17792 web optional egroupware-manual_1.0.0.009.dfsg-3-4_all.deb 41d2b49b0d0d679486493731089cfedc 32622 web optional egroupware-messenger_1.0.0.009.dfsg-3-4_all.deb ce239e9acc017aeb08fd6da68e79ce32 51186 web optional egroupware-news-admin_1.0.0.009.dfsg-3-4_all.deb ea4cf7cde4a32806292e7ecb84a766a2 119744 web optional egroupware-phpbrain_1.0.0.009.dfsg-3-4_all.deb 7332e26078fccc3f7cd6dfe88076d6b2 140032 web optional egroupware-phpldapadmin_1.0.0.009.dfsg-3-4_all.deb c852b17d1ef8a1472ea2cb0b10e43261 116476 web optional egroupware-phpsysinfo_1.0.0.009.dfsg-3-4_all.deb 52948d04a71d976c5fceafc8bce8fd06 36544 web optional egroupware-polls_1.0.0.009.dfsg-3-4_all.deb 5bbcf02e2bc816a64bf03af836d4e6c7 302980 web optional egroupware-projects_1.0.0.009.dfsg-3-4_all.deb 026013f0cd29e5655d4d3d9f6faf286d 100310 web optional egroupware-registration_1.0.0.009.dfsg-3-4_all.deb 9f00b4879a0f5fe7a8910bfcaa2b461b 486928 web optional egroupware-sitemgr_1.0.0.009.dfsg-3-4_all.deb 87be3b2eb18f91c93184c79f8741ef1a 26986 web optional egroupware-stocks_1.0.0.009.dfsg-3-4_all.deb 5ff5ef720696ee523f780905bea01ac5 94220 web optional egroupware-tts_1.0.0.009.dfsg-3-4_all.deb 336ed2f2545358973f3fcfb11a9c7f5f 93092 web optional egroupware-wiki_1.0.0.009.dfsg-3-4_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDiwEtTTx8oVVPtMYRAkYCAJ4qmZTfT++L+8UJxTJvEVywVTZEvQCcDIUe 39tbONEnmqDgGrjw9fsNabg= =I6nT -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]