[SECURITY] [DSA-2046-1] New phpgroupware packages fix several vulnerabilities

Debian Security Advisory DSA-2046-1 [email protected]
http://www.debian.org/security/ Giuseppe Iuculano
May 13, 2010 http://www.debian.org/security/faq

Package : phpgroupware
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2010-0403 CVE-2010-0404

Several remote vulnerabilities have been discovered in phpgroupware, a
Web based groupware system written in PHP. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2010-0403

A local file inclusion vulnerability allows remote attackers to execute
arbitrary PHP code and include arbitrary local files.

CVE-2010-0404

Multiple SQL injection vulnerabilities allows remote attackers to execute
arbitrary SQL commands.

For the stable distribution (lenny), these problems have been fixed in
version 1:0.9.16.012+dfsg-8+lenny2

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed soon.

We recommend that you upgrade your phpgroupware package.

Upgrade instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny

Debian (stable)

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg.orig.tar.gz
Size/MD5 checksum: 19383160 bbfcfa12aca69b4032d7b4d38aeba85f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2.dsc
Size/MD5 checksum: 1662 1a1ff2d6badf454ba2b948ee1268e57b
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2.diff.gz
Size/MD5 checksum: 74293 9ba66bc79bc0f5bb6454a3372bc2bfd8

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-filemanager_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 91562 51f6a2473368c6c21d19b8fd6349635f
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi-doc_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 7985242 c19ed260050702c356c4d14db87e3f0d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 20158 c09431d20a4d833841340ea79e03854d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-setup_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 281402 2fc54aa2367098332f67b846b17d8c7a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core-base_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 48876 41cc095cbbc3bd97ae36754405df60b9
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-email_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 1167580 4b63e0460fb590082a29391d26331b1e
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-phpgwapi_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 1529004 52216c8fa04c49ebf2d5d12aa6a8013a
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 22522 783f747d25f32fe4024db807a0727261
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-core_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 4726 0a3140a4bdc80c8b421ef865c1f730d3
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-doc_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 130240 dc11591ae411a496bc5828d88eaed65d
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-todo_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 50810 b632b74158236fea55b5014830c26369
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-preferences_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 60432 8355e743ea535fbb8b5afef5bcb196bb
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-manual_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 93564 f44dbd8f6b2902d4980c4ec23d955d02
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-news-admin_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 41194 9ed410fd27d8e0c7430a90fa2eaabb70
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-calendar_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 270288 ffa447f1b07658090d9acdec93ef31a5
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-admin_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 188302 84057847fe79ad066a751a0b5f1abef7
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-addressbook_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 176400 0294b85b1e34e7879edbc4ee832dfa43
http://security.debian.org/pool/updates/main/p/phpgroupware/phpgroupware-0.9.16-notes_0.9.16.012+dfsg-8+lenny2_all.deb
Size/MD5 checksum: 33074 95aff5b1efc3ba4eeb3a5756549ae070

These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/&lt;pkg&gt;