A new release of egroupware was announced today (May 6): http://freecode.com/projects/egroupware/releases/363507 It fixes 2 security issues. The full changelog is here: http://www.egroupware.org/changelog Mageia 3 and Mageia 4 are also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
fixed with egroupware-1.8.007.20140506-1.mga3, egroupware-1.8.007.20140506-1.mga4 & egroupware-1.8.007.20140506-1.mga5
CC: (none) => oe
Thanks Oden! Advisory: ======================== Updated egroupware packages fix security vulnerabilities: eGroupWare before 1.8.007 allows logged in users with administrative priviledges to remotely execute arbitrary commands on the server. It is also vulnerable to a cross site request forgery vulnerability that allows creating new administrative users. References: http://www.egroupware.org/forum#nabble-td3997580 http://www.egroupware.org/changelog ======================== Updated packages in core/updates_testing: ======================== egroupware-1.8.007.20140506-1.mga3 egroupware-bookmarks-1.8.007.20140506-1.mga3 egroupware-calendar-1.8.007.20140506-1.mga3 egroupware-developer_tools-1.8.007.20140506-1.mga3 egroupware-egw-pear-1.8.007.20140506-1.mga3 egroupware-emailadmin-1.8.007.20140506-1.mga3 egroupware-felamimail-1.8.007.20140506-1.mga3 egroupware-filemanager-1.8.007.20140506-1.mga3 egroupware-gallery-1.8.007.20140506-1.mga3 egroupware-importexport-1.8.007.20140506-1.mga3 egroupware-infolog-1.8.007.20140506-1.mga3 egroupware-manual-1.8.007.20140506-1.mga3 egroupware-news_admin-1.8.007.20140506-1.mga3 egroupware-notifications-1.8.007.20140506-1.mga3 egroupware-phpbrain-1.8.007.20140506-1.mga3 egroupware-phpsysinfo-1.8.007.20140506-1.mga3 egroupware-polls-1.8.007.20140506-1.mga3 egroupware-projectmanager-1.8.007.20140506-1.mga3 egroupware-registration-1.8.007.20140506-1.mga3 egroupware-sambaadmin-1.8.007.20140506-1.mga3 egroupware-sitemgr-1.8.007.20140506-1.mga3 egroupware-syncml-1.8.007.20140506-1.mga3 egroupware-timesheet-1.8.007.20140506-1.mga3 egroupware-tracker-1.8.007.20140506-1.mga3 egroupware-wiki-1.8.007.20140506-1.mga3 egroupware-1.8.007.20140506-1.mga4 egroupware-bookmarks-1.8.007.20140506-1.mga4 egroupware-calendar-1.8.007.20140506-1.mga4 egroupware-developer_tools-1.8.007.20140506-1.mga4 egroupware-egw-pear-1.8.007.20140506-1.mga4 egroupware-emailadmin-1.8.007.20140506-1.mga4 egroupware-felamimail-1.8.007.20140506-1.mga4 egroupware-filemanager-1.8.007.20140506-1.mga4 egroupware-gallery-1.8.007.20140506-1.mga4 egroupware-importexport-1.8.007.20140506-1.mga4 egroupware-infolog-1.8.007.20140506-1.mga4 egroupware-manual-1.8.007.20140506-1.mga4 egroupware-news_admin-1.8.007.20140506-1.mga4 egroupware-notifications-1.8.007.20140506-1.mga4 egroupware-phpbrain-1.8.007.20140506-1.mga4 egroupware-phpsysinfo-1.8.007.20140506-1.mga4 egroupware-polls-1.8.007.20140506-1.mga4 egroupware-projectmanager-1.8.007.20140506-1.mga4 egroupware-registration-1.8.007.20140506-1.mga4 egroupware-sambaadmin-1.8.007.20140506-1.mga4 egroupware-sitemgr-1.8.007.20140506-1.mga4 egroupware-syncml-1.8.007.20140506-1.mga4 egroupware-timesheet-1.8.007.20140506-1.mga4 egroupware-tracker-1.8.007.20140506-1.mga4 egroupware-wiki-1.8.007.20140506-1.mga4 from SRPMS: egroupware-1.8.007.20140506-1.mga3.src.rpm egroupware-1.8.007.20140506-1.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Oops, forgot to assign to QA. Advisory in Comment 2.
Assignee: mageia => qa-bugs
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12820 Seem to remember having some issues with this one previously.
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Trying to install egroupware, it complains about php-pdo_mysql (which I thought was installed as part of testing the parallel PHP update Bug 13290 php-pdo_mysql-5.5.12-1.mga4; but apparently not - for the following reason perhaps). # urpmi egroupware Nid oes modd gosod y pecyn canlynol am ei fod yn dibynnu ar becynnau sy'n hyn na'r rhai sydd wedi eu gosod: php-pdo_mysql-5.5.11-1.mga4 which says "Unable to install the following package [php-pdo_mysql] because it depends on packages which are older than those currently installed". # urpmi php-pdo_mysql Trying to pre-install php-pdo_mysql yields exactly the same error. Trying via MCC shows php-pdo_mysql not installed but available as 5.5.11-1 (referencing Release media, *not* Updates Testing where it is 5.5.12-1) yields "Yn anffodus, nid oes modd dewis y pecyn canlynol: - php-pdo_mysql-5.5.11-1.mga4.x86_64" which says "Unfortunately there is no way to select the following package [php-pdo_mysql]". So egroupware stuck on php-pdo_mysql it seems. A dependancy on a specific pkg version? Advice please.
CC: (none) => lewyssmith
If you are installing php-pdo_mysql, you need to install the same version as the other php packages you already have installed. If you're testing the php update, you need to install the pdo package from the update.
(In reply to David Walser from comment #6) > If you are installing php-pdo_mysql, you need to install the same version as > the other php packages you already have installed. If you're testing the > php update, you need to install the pdo package from the update. Fine. I installed it from Updates Testing repository OK. BUT only 4 egroupware pkgs were installed: egroupware 1.8.007.201> 1.mga4 noarch egroupware-calendar 1.8.007.201> 1.mga4 noarch egroupware-egw-pear 1.8.007.201> 1.mga4 noarch egroupware-emailadmin 1.8.007.201> 1.mga4 noarch What about the very many others? Install them explicitly? The thing seems to work without the rest. You really do have to specify a valid Zone/City (no surrounding quotes) in /etc/php.ini timzone, and restart httpd before it will pass its environment tests. As Claire said, you also have to skip the main button at the foot of that page and select the 'Write' [configuration file] one first. Otherwise loose what you specified... Help again please! On a later setup page "Setup - Domain" the Mailserver settings are causing me grief. It insists on it being completed. I have no mail server installed on my box: do I need one? I cannot see how to use my regular e-mail POP3 account because IMAP is the only choice, and I cannot see how to make 'Mail server login type' fit the situation: it talks of the eGroupware username. TIA
Testing complete mga4 64 You can do something like 'urpmi -ya egroupware' lewis or use MCC to select them all. It's definitely not straightforward this one. Managed to get it installed, more by luck then judgement, and created the demo accounts in the user config and then logged in a demo/guest and was able to view the calendar etc. It doesn't seem to offer pop3 mailserver, as lewis said, even though it asks for pop3/imap mailserver ip.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-64-ok
Testing complete mga3 64 Although it doesn't offer pop3 it does accept just 'localhost' in pop3/imap server ip and smtp server ip with no other info there, so it's not actually used beyond configuration at this stage. Generally, not very user friendly this package.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing mga4 32 now
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0221.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/599445/