A CVE was assigned for a security issue fixed upstream in 1.8.006.20140217: http://openwall.com/lists/oss-security/2014/02/19/4 Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated curl packages fix security vulnerabilities: eGroupware prior to 1.8.006.20140217 is vulnerable to remote file deletion and possible remote code execution due to user input being passed to PHP's unserialize() method (CVE-2014-2027). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 http://www.egroupware.org/changelog http://openwall.com/lists/oss-security/2014/02/19/4 ======================== Updated packages in core/updates_testing: ======================== egroupware-1.8.006.20140217-1.mga3 egroupware-bookmarks-1.8.006.20140217-1.mga3 egroupware-calendar-1.8.006.20140217-1.mga3 egroupware-developer_tools-1.8.006.20140217-1.mga3 egroupware-egw-pear-1.8.006.20140217-1.mga3 egroupware-emailadmin-1.8.006.20140217-1.mga3 egroupware-felamimail-1.8.006.20140217-1.mga3 egroupware-filemanager-1.8.006.20140217-1.mga3 egroupware-gallery-1.8.006.20140217-1.mga3 egroupware-importexport-1.8.006.20140217-1.mga3 egroupware-infolog-1.8.006.20140217-1.mga3 egroupware-manual-1.8.006.20140217-1.mga3 egroupware-news_admin-1.8.006.20140217-1.mga3 egroupware-notifications-1.8.006.20140217-1.mga3 egroupware-phpbrain-1.8.006.20140217-1.mga3 egroupware-phpsysinfo-1.8.006.20140217-1.mga3 egroupware-polls-1.8.006.20140217-1.mga3 egroupware-projectmanager-1.8.006.20140217-1.mga3 egroupware-registration-1.8.006.20140217-1.mga3 egroupware-sambaadmin-1.8.006.20140217-1.mga3 egroupware-sitemgr-1.8.006.20140217-1.mga3 egroupware-syncml-1.8.006.20140217-1.mga3 egroupware-timesheet-1.8.006.20140217-1.mga3 egroupware-tracker-1.8.006.20140217-1.mga3 egroupware-wiki-1.8.006.20140217-1.mga3 egroupware-1.8.006.20140217-1.mga4 egroupware-bookmarks-1.8.006.20140217-1.mga4 egroupware-calendar-1.8.006.20140217-1.mga4 egroupware-developer_tools-1.8.006.20140217-1.mga4 egroupware-egw-pear-1.8.006.20140217-1.mga4 egroupware-emailadmin-1.8.006.20140217-1.mga4 egroupware-felamimail-1.8.006.20140217-1.mga4 egroupware-filemanager-1.8.006.20140217-1.mga4 egroupware-gallery-1.8.006.20140217-1.mga4 egroupware-importexport-1.8.006.20140217-1.mga4 egroupware-infolog-1.8.006.20140217-1.mga4 egroupware-manual-1.8.006.20140217-1.mga4 egroupware-news_admin-1.8.006.20140217-1.mga4 egroupware-notifications-1.8.006.20140217-1.mga4 egroupware-phpbrain-1.8.006.20140217-1.mga4 egroupware-phpsysinfo-1.8.006.20140217-1.mga4 egroupware-polls-1.8.006.20140217-1.mga4 egroupware-projectmanager-1.8.006.20140217-1.mga4 egroupware-registration-1.8.006.20140217-1.mga4 egroupware-sambaadmin-1.8.006.20140217-1.mga4 egroupware-sitemgr-1.8.006.20140217-1.mga4 egroupware-syncml-1.8.006.20140217-1.mga4 egroupware-timesheet-1.8.006.20140217-1.mga4 egroupware-tracker-1.8.006.20140217-1.mga4 egroupware-wiki-1.8.006.20140217-1.mga4 from SRPMS: egroupware-1.8.006.20140217-1.mga3.src.rpm egroupware-1.8.006.20140217-1.mga4.src.rpm
Version: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Installed all packages on Mageia 4 64. run web post-install using http://localhost/egroupware. Install finalized without any problem.
CC: (none) => ennael1Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Tested on Mageia 4 32. All is ok.
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok
Testing mga3 32 Installed packages and browsed to http://localhost/egroupware to complete the installation. It is a confusing installation and tl;dr broken. If doing the 'Installation tests' you get the message.. Checking php.ini: date.timezone set and not "System/Localtime": ini_get('date.timezone')='' No VALID timezone set! ("System/Localtime" is NOT sufficient, you have to use a timezone identifer like "Europe/Berlin", see full list of valid identifers) You need to set date.timezone in /etc/php.ini and restart httpd service. It is commented out by default so set for example.. [Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = Europe/London Then.. # service httpd restart There are various warnings then and one error at the bottom.. Checking for JPGraph in /var/www/jpgraph: False You dont have JPGraph version 1.13 or higher installed! It is needed from ProjectManager for Ganttcharts. Please download a recent version from jpgraph.net/download/ and install it as /var/www/jpgraph. It is able to continue the installation without it though and write a config file. It's not able to create a database though after logging in as 'Setup/Config Admin Login'. It asks for DB root login to be able to create the egroupware DB but fails with.. Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!! mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES)) Function: egw_db->query / egw_db->create_database Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!! mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES)) Function: egw_db->query / egw_db->create_database Database error: Necessary php database support for mysql (mysql.so) not loaded and can't be loaded, exiting !!! mysql Error: 1045 (Access denied for user 'egroupware'@'localhost' (using password: YES)) Function: egw_db->create_database and can't be loaded, exiting !!!
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO has_procedure feedback mga4-64-ok mga4-32-ok
Does it work if you install php-mysql? I don't know if it maybe supports other database types and just uses mysql by default, so it may not be appropriate to have it actually require it, you might just have to know you're using that database type and install it.
Right, yeah. It was pulling in php-pdo_mysql but with php-mysql installed it shows one less warning on the installation check. Note: on the DB configuration page, don't click "Add new database" just click "Write" to write the config file, then continue and log in as "Setup/Config Admin Login". It then goes through several steps making you click buttons but does install the database and then tries the applications too but fails again.. CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) ) The used table type doesn't support FULLTEXT indexes An error happened calendar_timezones::import_sqlite('calendar/setup/timezones.sqlite') required SQLite support (PHP extension pdo_sqlite) missing! Tried installing php-sqlite3 which made no difference but php-pdo_sqlite did allow it to install them. It then fails with.. CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) )
I missed part of the error message.. CreateIndexSQL(NULL,'egw_wiki_pages',Array ( [0] => wiki_body(32) ) ,Array ( [0] => FULLTEXT ) ) sql=Array ( [0] => ALTER TABLE `egw_wiki_pages` ADD FULLTEXT INDEX `egw_wiki_pages_body` (`wiki_body` (32)) ) The used table type doesn't support FULLTEXT indexes
Testing complete on Mageia 3 i586. Installed Mariadb, and phpmyadmin. Set password for mysql root, and timezone in /etc/php.ini (America/Toronto, in my case). Installed egroupware, restarted httpd, was then able to use http://localhost/egroupware to create the database, and an admin user, install the language, and selected install all apps. Logged out, logged in as the admin user, and am presented with the calender app, to start with. Added an event. Testing x86_64 shortly.
CC: (none) => davidwhodginsWhiteboard: MGA3TOO has_procedure feedback mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK
Testing complete on Mageia 3 x86_64. Advisory added to svn. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK => MGA3TOO has_procedure mga4-64-ok mga4-32-ok MGA3-32-OK MGA3-64-OK advisoryCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0116.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/589243/