Bug 13334 - egroupware new security issues fixed upstream in 1.8.007
Summary: egroupware new security issues fixed upstream in 1.8.007
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/599445/
Whiteboard: MGA3TOO has_procedure advisory mga3-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-05-07 01:58 CEST by David Walser
Modified: 2014-05-19 20:25 CEST (History)
4 users (show)

See Also:
Source RPM: egroupware-1.8.006.20140217-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-07 01:58:43 CEST
A new release of egroupware was announced today (May 6):
http://freecode.com/projects/egroupware/releases/363507

It fixes 2 security issues.  The full changelog is here:
http://www.egroupware.org/changelog

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2014-05-07 01:58:50 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Oden Eriksson 2014-05-07 16:01:53 CEST
fixed with egroupware-1.8.007.20140506-1.mga3, egroupware-1.8.007.20140506-1.mga4 & egroupware-1.8.007.20140506-1.mga5

CC: (none) => oe

Comment 2 David Walser 2014-05-07 20:46:21 CEST
Thanks Oden!

Advisory:
========================

Updated egroupware packages fix security vulnerabilities:

eGroupWare before 1.8.007 allows logged in users with administrative
priviledges to remotely execute arbitrary commands on the server.  It is
also vulnerable to a cross site request forgery vulnerability that allows
creating new administrative users.

References:
http://www.egroupware.org/forum#nabble-td3997580
http://www.egroupware.org/changelog
========================

Updated packages in core/updates_testing:
========================
egroupware-1.8.007.20140506-1.mga3
egroupware-bookmarks-1.8.007.20140506-1.mga3
egroupware-calendar-1.8.007.20140506-1.mga3
egroupware-developer_tools-1.8.007.20140506-1.mga3
egroupware-egw-pear-1.8.007.20140506-1.mga3
egroupware-emailadmin-1.8.007.20140506-1.mga3
egroupware-felamimail-1.8.007.20140506-1.mga3
egroupware-filemanager-1.8.007.20140506-1.mga3
egroupware-gallery-1.8.007.20140506-1.mga3
egroupware-importexport-1.8.007.20140506-1.mga3
egroupware-infolog-1.8.007.20140506-1.mga3
egroupware-manual-1.8.007.20140506-1.mga3
egroupware-news_admin-1.8.007.20140506-1.mga3
egroupware-notifications-1.8.007.20140506-1.mga3
egroupware-phpbrain-1.8.007.20140506-1.mga3
egroupware-phpsysinfo-1.8.007.20140506-1.mga3
egroupware-polls-1.8.007.20140506-1.mga3
egroupware-projectmanager-1.8.007.20140506-1.mga3
egroupware-registration-1.8.007.20140506-1.mga3
egroupware-sambaadmin-1.8.007.20140506-1.mga3
egroupware-sitemgr-1.8.007.20140506-1.mga3
egroupware-syncml-1.8.007.20140506-1.mga3
egroupware-timesheet-1.8.007.20140506-1.mga3
egroupware-tracker-1.8.007.20140506-1.mga3
egroupware-wiki-1.8.007.20140506-1.mga3
egroupware-1.8.007.20140506-1.mga4
egroupware-bookmarks-1.8.007.20140506-1.mga4
egroupware-calendar-1.8.007.20140506-1.mga4
egroupware-developer_tools-1.8.007.20140506-1.mga4
egroupware-egw-pear-1.8.007.20140506-1.mga4
egroupware-emailadmin-1.8.007.20140506-1.mga4
egroupware-felamimail-1.8.007.20140506-1.mga4
egroupware-filemanager-1.8.007.20140506-1.mga4
egroupware-gallery-1.8.007.20140506-1.mga4
egroupware-importexport-1.8.007.20140506-1.mga4
egroupware-infolog-1.8.007.20140506-1.mga4
egroupware-manual-1.8.007.20140506-1.mga4
egroupware-news_admin-1.8.007.20140506-1.mga4
egroupware-notifications-1.8.007.20140506-1.mga4
egroupware-phpbrain-1.8.007.20140506-1.mga4
egroupware-phpsysinfo-1.8.007.20140506-1.mga4
egroupware-polls-1.8.007.20140506-1.mga4
egroupware-projectmanager-1.8.007.20140506-1.mga4
egroupware-registration-1.8.007.20140506-1.mga4
egroupware-sambaadmin-1.8.007.20140506-1.mga4
egroupware-sitemgr-1.8.007.20140506-1.mga4
egroupware-syncml-1.8.007.20140506-1.mga4
egroupware-timesheet-1.8.007.20140506-1.mga4
egroupware-tracker-1.8.007.20140506-1.mga4
egroupware-wiki-1.8.007.20140506-1.mga4

from SRPMS:
egroupware-1.8.007.20140506-1.mga3.src.rpm
egroupware-1.8.007.20140506-1.mga4.src.rpm

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Walser 2014-05-08 15:28:21 CEST
Oops, forgot to assign to QA.  Advisory in Comment 2.

Assignee: mageia => qa-bugs

Comment 4 claire robinson 2014-05-10 09:37:56 CEST
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12820

Seem to remember having some issues with this one previously.

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 5 Lewis Smith 2014-05-11 21:24:02 CEST
Trying to install egroupware, it complains about php-pdo_mysql (which I thought was installed as part of testing the parallel PHP update Bug 13290
php-pdo_mysql-5.5.12-1.mga4; but apparently not - for the following reason perhaps).
 # urpmi egroupware
 Nid oes modd gosod y pecyn canlynol am ei fod yn dibynnu ar becynnau
 sy'n hyn na'r rhai sydd wedi eu gosod:
 php-pdo_mysql-5.5.11-1.mga4
which says "Unable to install the following package [php-pdo_mysql] because it depends on packages which are older than those currently installed".

 # urpmi php-pdo_mysql
Trying to pre-install php-pdo_mysql yields exactly the same error.

Trying via MCC shows php-pdo_mysql not installed but available as 5.5.11-1 (referencing Release media, *not* Updates Testing where it is 5.5.12-1) yields
"Yn anffodus, nid oes modd dewis y pecyn canlynol:
- php-pdo_mysql-5.5.11-1.mga4.x86_64"
which says "Unfortunately there is no way to select the following package [php-pdo_mysql]".

So egroupware stuck on php-pdo_mysql it seems. A dependancy on a specific pkg version? Advice please.

CC: (none) => lewyssmith

Comment 6 David Walser 2014-05-11 21:44:42 CEST
If you are installing php-pdo_mysql, you need to install the same version as the other php packages you already have installed.  If you're testing the php update, you need to install the pdo package from the update.
Comment 7 Lewis Smith 2014-05-13 21:55:14 CEST
(In reply to David Walser from comment #6)
> If you are installing php-pdo_mysql, you need to install the same version as
> the other php packages you already have installed.  If you're testing the
> php update, you need to install the pdo package from the update.
Fine. I installed it from Updates Testing repository OK. BUT only 4 egroupware pkgs were installed:
 egroupware                     1.8.007.201> 1.mga4        noarch  
 egroupware-calendar            1.8.007.201> 1.mga4        noarch  
 egroupware-egw-pear            1.8.007.201> 1.mga4        noarch  
 egroupware-emailadmin          1.8.007.201> 1.mga4        noarch
What about the very many others? Install them explicitly? The thing seems to work without the rest. You really do have to specify a valid Zone/City (no surrounding quotes) in /etc/php.ini timzone, and restart httpd before it will pass its environment tests. As Claire said, you also have to skip the main button at the foot of that page and select the 'Write' [configuration file] one first. Otherwise loose what you specified...

Help again please!
On a later setup page "Setup - Domain" the Mailserver settings are causing me grief. It insists on it being completed. I have no mail server installed on my box: do I need one? I cannot see how to use my regular e-mail POP3 account because IMAP is the only choice, and I cannot see how to make 'Mail server login type' fit the situation: it talks of the eGroupware username.

TIA
Comment 8 claire robinson 2014-05-15 17:56:06 CEST
Testing complete mga4 64

You can do something like 'urpmi -ya egroupware' lewis or use MCC to select them all.

It's definitely not straightforward this one. Managed to get it installed, more by luck then judgement, and created the demo accounts in the user config and then logged in a demo/guest and was able to view the calendar etc.

It doesn't seem to offer pop3 mailserver, as lewis said, even though it asks for pop3/imap mailserver ip.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 9 claire robinson 2014-05-15 18:13:46 CEST
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok

Comment 10 claire robinson 2014-05-15 18:48:07 CEST
Testing complete mga3 64

Although it doesn't offer pop3 it does accept just 'localhost' in pop3/imap server ip and smtp server ip with no other info there, so it's not actually used beyond configuration at this stage.

Generally, not very user friendly this package.

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok

Comment 11 claire robinson 2014-05-16 15:37:15 CEST
Testing mga4 32 now
Comment 12 claire robinson 2014-05-16 16:20:31 CEST
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 13 claire robinson 2014-05-16 16:30:06 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 14 Thomas Backlund 2014-05-17 02:45:20 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0221.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-05-19 20:25:38 CEST

URL: (none) => http://lwn.net/Vulnerabilities/599445/


Note You need to log in before you can comment on or make changes to this bug.