Your message dated Mon, 28 Nov 2005 06:02:20 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#340495: fixed in egroupware 1.0.0.009.dfsg-3-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Nov 2005 20:32:57 +0000
>From [EMAIL PROTECTED] Wed Nov 23 12:32:57 2005
Return-path: <[EMAIL PROTECTED]>
Received: from tuco.sfritsch.de ([217.160.135.178])
by spohr.debian.org with esmtp (Exim 4.50)
id 1Ef1IW-0007kC-0o
for [EMAIL PROTECTED]; Wed, 23 Nov 2005 12:32:57 -0800
Received: from ppp-82-135-66-135.mnet-online.de ([82.135.66.135])
by tuco.sfritsch.de with esmtpsa (TLS-1.0:RSA_ARCFOUR_MD5:16)
(Exim 4.50)
id 1Ef1IM-0006vh-V5
for [EMAIL PROTECTED]; Wed, 23 Nov 2005 21:32:47 +0100
From: Stefan Fritsch <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CVE-2005-2781: Execution of arbitrary web code
Date: Wed, 23 Nov 2005 21:32:44 +0100
User-Agent: KMail/1.8.2
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-7.5 required=4.0 tests=BAYES_00,HAS_PACKAGE,
RCVD_IN_SORBS autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: egroupware-fudforum
Severity: grave
Tags: security
Justification: user security hole
egroupware embeds a shared/forked copy of "fudforum", which was
vulnerable to:
| The Avatar upload feature in FUD Forum before 2.7.0 does not properly
| verify uploaded files, which allows remote attackers to execute arbitrary
| PHP code via a file with a .php extension that contains image data
| followed by PHP code.
(Please see http://secunia.com/advisories/16627/ for details)
The vulnerable code is also in egroupware-fudforum. See
http://www.mail-archive.com/[email protected]/msg21210.html for a
fix.
Cheers,
Stefan
---------------------------------------
Received: (at 340495-close) by bugs.debian.org; 28 Nov 2005 14:12:25 +0000
>From [EMAIL PROTECTED] Mon Nov 28 06:12:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EgjaG-000278-Sz; Mon, 28 Nov 2005 06:02:20 -0800
From: Peter Eisentraut <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.60 $
Subject: Bug#340495: fixed in egroupware 1.0.0.009.dfsg-3-4
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Mon, 28 Nov 2005 06:02:20 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-5.0 required=4.0 tests=BAYES_01,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: egroupware
Source-Version: 1.0.0.009.dfsg-3-4
We believe that the bug you reported is fixed in the latest version of
egroupware, which is due to be installed in the Debian FTP archive:
egroupware-addressbook_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-addressbook_1.0.0.009.dfsg-3-4_all.deb
egroupware-bookmarks_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-bookmarks_1.0.0.009.dfsg-3-4_all.deb
egroupware-calendar_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-calendar_1.0.0.009.dfsg-3-4_all.deb
egroupware-comic_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-comic_1.0.0.009.dfsg-3-4_all.deb
egroupware-core_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-core_1.0.0.009.dfsg-3-4_all.deb
egroupware-developer-tools_1.0.0.009.dfsg-3-4_all.deb
to
pool/main/e/egroupware/egroupware-developer-tools_1.0.0.009.dfsg-3-4_all.deb
egroupware-email_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-email_1.0.0.009.dfsg-3-4_all.deb
egroupware-emailadmin_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-emailadmin_1.0.0.009.dfsg-3-4_all.deb
egroupware-etemplate_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-etemplate_1.0.0.009.dfsg-3-4_all.deb
egroupware-felamimail_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-felamimail_1.0.0.009.dfsg-3-4_all.deb
egroupware-filemanager_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-filemanager_1.0.0.009.dfsg-3-4_all.deb
egroupware-forum_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-forum_1.0.0.009.dfsg-3-4_all.deb
egroupware-ftp_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-ftp_1.0.0.009.dfsg-3-4_all.deb
egroupware-fudforum_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-fudforum_1.0.0.009.dfsg-3-4_all.deb
egroupware-headlines_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-headlines_1.0.0.009.dfsg-3-4_all.deb
egroupware-infolog_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-infolog_1.0.0.009.dfsg-3-4_all.deb
egroupware-jinn_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-jinn_1.0.0.009.dfsg-3-4_all.deb
egroupware-ldap_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-ldap_1.0.0.009.dfsg-3-4_all.deb
egroupware-manual_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-manual_1.0.0.009.dfsg-3-4_all.deb
egroupware-messenger_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-messenger_1.0.0.009.dfsg-3-4_all.deb
egroupware-news-admin_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-news-admin_1.0.0.009.dfsg-3-4_all.deb
egroupware-phpbrain_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-phpbrain_1.0.0.009.dfsg-3-4_all.deb
egroupware-phpldapadmin_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-phpldapadmin_1.0.0.009.dfsg-3-4_all.deb
egroupware-phpsysinfo_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-phpsysinfo_1.0.0.009.dfsg-3-4_all.deb
egroupware-polls_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-polls_1.0.0.009.dfsg-3-4_all.deb
egroupware-projects_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-projects_1.0.0.009.dfsg-3-4_all.deb
egroupware-registration_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-registration_1.0.0.009.dfsg-3-4_all.deb
egroupware-sitemgr_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-sitemgr_1.0.0.009.dfsg-3-4_all.deb
egroupware-stocks_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-stocks_1.0.0.009.dfsg-3-4_all.deb
egroupware-tts_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-tts_1.0.0.009.dfsg-3-4_all.deb
egroupware-wiki_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware-wiki_1.0.0.009.dfsg-3-4_all.deb
egroupware_1.0.0.009.dfsg-3-4.diff.gz
to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-3-4.diff.gz
egroupware_1.0.0.009.dfsg-3-4.dsc
to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-3-4.dsc
egroupware_1.0.0.009.dfsg-3-4_all.deb
to pool/main/e/egroupware/egroupware_1.0.0.009.dfsg-3-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Eisentraut <[EMAIL PROTECTED]> (supplier of updated egroupware package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 28 Nov 2005 14:01:13 +0100
Source: egroupware
Binary: egroupware-news-admin egroupware-felamimail egroupware-projects
egroupware-polls egroupware-jinn egroupware-calendar egroupware-messenger
egroupware egroupware-bookmarks egroupware-wiki egroupware-filemanager
egroupware-ldap egroupware-addressbook egroupware-headlines egroupware-tts
egroupware-etemplate egroupware-registration egroupware-comic
egroupware-emailadmin egroupware-ftp egroupware-developer-tools
egroupware-phpldapadmin egroupware-phpsysinfo egroupware-stocks
egroupware-manual egroupware-infolog egroupware-core egroupware-email
egroupware-fudforum egroupware-sitemgr egroupware-phpbrain egroupware-forum
Architecture: source all
Version: 1.0.0.009.dfsg-3-4
Distribution: unstable
Urgency: high
Maintainer: Peter Eisentraut <[EMAIL PROTECTED]>
Changed-By: Peter Eisentraut <[EMAIL PROTECTED]>
Description:
egroupware - web-based groupware suite
egroupware-addressbook - eGroupWare addressbook management application
egroupware-bookmarks - eGroupWare bookmark management application
egroupware-calendar - eGroupWare calendar management application
egroupware-comic - eGroupWare comic strip application
egroupware-core - eGroupWare core modules
egroupware-developer-tools - eGroupWare developer tools
egroupware-email - eGroupWare E-mail client application
egroupware-emailadmin - eGroupWare E-mail user administration application
egroupware-etemplate - widget-based template system for eGroupWare
egroupware-felamimail - eGroupWare FeLaMiMail application
egroupware-filemanager - eGroupWare file manager application
egroupware-forum - eGroupWare forum application
egroupware-ftp - eGroupWare FTP application
egroupware-fudforum - eGroupWare FUDforum application
egroupware-headlines - eGroupWare headlines catcher application
egroupware-infolog - eGroupWare infolog application
egroupware-jinn - content management system for eGroupWare
egroupware-ldap - eGroupware LDAP support files
egroupware-manual - eGroupWare manual
egroupware-messenger - eGroupWare messenger application
egroupware-news-admin - eGroupWare news administration interface
egroupware-phpbrain - eGroupWare phpbrain application
egroupware-phpldapadmin - eGroupWare phpLDAPadmin application
egroupware-phpsysinfo - eGroupWare phpSysInfo application
egroupware-polls - eGroupWare polling application
egroupware-projects - eGroupWare projects management application
egroupware-registration - eGroupWare registration application
egroupware-sitemgr - eGroupWare site manager application
egroupware-stocks - eGroupWare stock management application
egroupware-tts - eGroupWare trouble ticket system application
egroupware-wiki - eGroupWare wiki application
Closes: 340495
Changes:
egroupware (1.0.0.009.dfsg-3-4) unstable; urgency=high
.
* Fixed fudforum arbitrary code execution security problem (CVE-2005-2781)
(closes: #340495)
* Fixed watch file to exclude RC versions
Files:
def4c87af1a2181001e8de8e2c380a90 1275 web optional
egroupware_1.0.0.009.dfsg-3-4.dsc
cf04ce44a810a9343065694df72b3788 38295 web optional
egroupware_1.0.0.009.dfsg-3-4.diff.gz
2a98eaa70a498ecc7820407bbdc5459f 4884 web optional
egroupware_1.0.0.009.dfsg-3-4_all.deb
c90e1ded9c28a8e7a865a7306f0c709f 3779420 web optional
egroupware-core_1.0.0.009.dfsg-3-4_all.deb
366172c441ad49391fde3eeeea854c73 7652 web optional
egroupware-ldap_1.0.0.009.dfsg-3-4_all.deb
066e88888efd0154cac42acd4fad9300 149540 web optional
egroupware-addressbook_1.0.0.009.dfsg-3-4_all.deb
d2332b989df59ddaf989dcfd117b1c04 125602 web optional
egroupware-bookmarks_1.0.0.009.dfsg-3-4_all.deb
92eeeacb46cdd15292fb76f2e3cd4d41 383130 web optional
egroupware-calendar_1.0.0.009.dfsg-3-4_all.deb
791b46e9df56929198df73db55e6a8ce 256512 web optional
egroupware-comic_1.0.0.009.dfsg-3-4_all.deb
c9cd46fe633936f62ef6714a63a7e4e2 53902 web optional
egroupware-developer-tools_1.0.0.009.dfsg-3-4_all.deb
c2ce894fd62d4b582f4d3c963222c7ff 1244238 web optional
egroupware-email_1.0.0.009.dfsg-3-4_all.deb
acb3c8bc6a73ade12ebefa39410a191f 38626 web optional
egroupware-emailadmin_1.0.0.009.dfsg-3-4_all.deb
59f1111569e3acb4d14d5506742ea051 1363712 web optional
egroupware-etemplate_1.0.0.009.dfsg-3-4_all.deb
767a2e9132ca105634a47bf2e2bf5bfb 275808 web optional
egroupware-felamimail_1.0.0.009.dfsg-3-4_all.deb
5bfcd4eb172c2ea150de49f3a1ece384 173330 web optional
egroupware-filemanager_1.0.0.009.dfsg-3-4_all.deb
0406e57840f140dfed6c696ece3b9f26 51800 web optional
egroupware-forum_1.0.0.009.dfsg-3-4_all.deb
9cd9ef5e56caca789fa3ad777f554170 38516 web optional
egroupware-ftp_1.0.0.009.dfsg-3-4_all.deb
fb2e2071573ea687f4b9a752e0519170 1486884 web optional
egroupware-fudforum_1.0.0.009.dfsg-3-4_all.deb
c0c49f6acf66b5db456bde588e85041e 75396 web optional
egroupware-headlines_1.0.0.009.dfsg-3-4_all.deb
82c6b4eea96a00adb72dd828cd405c90 202722 web optional
egroupware-infolog_1.0.0.009.dfsg-3-4_all.deb
06a6c94c10ec519b31fd9d212304165d 205478 web optional
egroupware-jinn_1.0.0.009.dfsg-3-4_all.deb
331e95823c97a4ffd16f3e93af8e5dbc 17792 web optional
egroupware-manual_1.0.0.009.dfsg-3-4_all.deb
41d2b49b0d0d679486493731089cfedc 32622 web optional
egroupware-messenger_1.0.0.009.dfsg-3-4_all.deb
ce239e9acc017aeb08fd6da68e79ce32 51186 web optional
egroupware-news-admin_1.0.0.009.dfsg-3-4_all.deb
ea4cf7cde4a32806292e7ecb84a766a2 119744 web optional
egroupware-phpbrain_1.0.0.009.dfsg-3-4_all.deb
7332e26078fccc3f7cd6dfe88076d6b2 140032 web optional
egroupware-phpldapadmin_1.0.0.009.dfsg-3-4_all.deb
c852b17d1ef8a1472ea2cb0b10e43261 116476 web optional
egroupware-phpsysinfo_1.0.0.009.dfsg-3-4_all.deb
52948d04a71d976c5fceafc8bce8fd06 36544 web optional
egroupware-polls_1.0.0.009.dfsg-3-4_all.deb
5bbcf02e2bc816a64bf03af836d4e6c7 302980 web optional
egroupware-projects_1.0.0.009.dfsg-3-4_all.deb
026013f0cd29e5655d4d3d9f6faf286d 100310 web optional
egroupware-registration_1.0.0.009.dfsg-3-4_all.deb
9f00b4879a0f5fe7a8910bfcaa2b461b 486928 web optional
egroupware-sitemgr_1.0.0.009.dfsg-3-4_all.deb
87be3b2eb18f91c93184c79f8741ef1a 26986 web optional
egroupware-stocks_1.0.0.009.dfsg-3-4_all.deb
5ff5ef720696ee523f780905bea01ac5 94220 web optional
egroupware-tts_1.0.0.009.dfsg-3-4_all.deb
336ed2f2545358973f3fcfb11a9c7f5f 93092 web optional
egroupware-wiki_1.0.0.009.dfsg-3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDiwEtTTx8oVVPtMYRAkYCAJ4qmZTfT++L+8UJxTJvEVywVTZEvQCcDIUe
39tbONEnmqDgGrjw9fsNabg=
=I6nT
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
