Mageia Bugzilla – Bug 13334
egroupware new security issues fixed upstream in 1.8.007
Last modified: 2014-05-19 20:25:38 CEST
A new release of egroupware was announced today (May 6):
It fixes 2 security issues. The full changelog is here:
Mageia 3 and Mageia 4 are also affected.
Steps to Reproduce:
fixed with egroupware-1.8.007.20140506-1.mga3, egroupware-1.8.007.20140506-1.mga4 & egroupware-1.8.007.20140506-1.mga5
Updated egroupware packages fix security vulnerabilities:
eGroupWare before 1.8.007 allows logged in users with administrative
priviledges to remotely execute arbitrary commands on the server. It is
also vulnerable to a cross site request forgery vulnerability that allows
creating new administrative users.
Updated packages in core/updates_testing:
Oops, forgot to assign to QA. Advisory in Comment 2.
Seem to remember having some issues with this one previously.
Trying to install egroupware, it complains about php-pdo_mysql (which I thought was installed as part of testing the parallel PHP update Bug 13290
php-pdo_mysql-5.5.12-1.mga4; but apparently not - for the following reason perhaps).
# urpmi egroupware
Nid oes modd gosod y pecyn canlynol am ei fod yn dibynnu ar becynnau
sy'n hyn na'r rhai sydd wedi eu gosod:
which says "Unable to install the following package [php-pdo_mysql] because it depends on packages which are older than those currently installed".
# urpmi php-pdo_mysql
Trying to pre-install php-pdo_mysql yields exactly the same error.
Trying via MCC shows php-pdo_mysql not installed but available as 5.5.11-1 (referencing Release media, *not* Updates Testing where it is 5.5.12-1) yields
"Yn anffodus, nid oes modd dewis y pecyn canlynol:
which says "Unfortunately there is no way to select the following package [php-pdo_mysql]".
So egroupware stuck on php-pdo_mysql it seems. A dependancy on a specific pkg version? Advice please.
If you are installing php-pdo_mysql, you need to install the same version as the other php packages you already have installed. If you're testing the php update, you need to install the pdo package from the update.
(In reply to David Walser from comment #6)
> If you are installing php-pdo_mysql, you need to install the same version as
> the other php packages you already have installed. If you're testing the
> php update, you need to install the pdo package from the update.
Fine. I installed it from Updates Testing repository OK. BUT only 4 egroupware pkgs were installed:
egroupware 1.8.007.201> 1.mga4 noarch
egroupware-calendar 1.8.007.201> 1.mga4 noarch
egroupware-egw-pear 1.8.007.201> 1.mga4 noarch
egroupware-emailadmin 1.8.007.201> 1.mga4 noarch
What about the very many others? Install them explicitly? The thing seems to work without the rest. You really do have to specify a valid Zone/City (no surrounding quotes) in /etc/php.ini timzone, and restart httpd before it will pass its environment tests. As Claire said, you also have to skip the main button at the foot of that page and select the 'Write' [configuration file] one first. Otherwise loose what you specified...
Help again please!
On a later setup page "Setup - Domain" the Mailserver settings are causing me grief. It insists on it being completed. I have no mail server installed on my box: do I need one? I cannot see how to use my regular e-mail POP3 account because IMAP is the only choice, and I cannot see how to make 'Mail server login type' fit the situation: it talks of the eGroupware username.
Testing complete mga4 64
You can do something like 'urpmi -ya egroupware' lewis or use MCC to select them all.
It's definitely not straightforward this one. Managed to get it installed, more by luck then judgement, and created the demo accounts in the user config and then logged in a demo/guest and was able to view the calendar etc.
It doesn't seem to offer pop3 mailserver, as lewis said, even though it asks for pop3/imap mailserver ip.
Testing complete mga3 32
Testing complete mga3 64
Although it doesn't offer pop3 it does accept just 'localhost' in pop3/imap server ip and smtp server ip with no other info there, so it's not actually used beyond configuration at this stage.
Generally, not very user friendly this package.
Testing mga4 32 now
Testing complete mga4 32
Validating. Advisory uploaded.
Could sysadmin please push to 3 & 4 updates