eGroupware 1.8.007 has a severe bug that will at the best delete LDAP user accounts, and at worst corrupt the LDAP Database when used with a Samba 4 Active Directory. Because of this the maintainer of eGroupware suggests everyone migrate to eGroupware 14.1 which officially supports a Samba 4 AD. eGroupware 14.1 has many new dependencies which exist as Pear Modules. Import from OpenSuse Reccommended. Reproducible: Steps to Reproduce:
eGroupware 1.8's behaviour is also in practice violation for OpenLDAP as well.
CC: (none) => neoclust
Assigning to maintainer. Nicolas, seems a severe issue.
Whiteboard: (none) => MGA4TOO MGA5TOOSeverity: normal => criticalAssignee: bugsquad => mageia
(although we should check if we're affected since we don't have samba 4)
(In reply to Samuel VERSCHELDE from comment #3) > (although we should check if we're affected since we don't have samba 4) Okay let me explain: the behaviour of most LDAP applications is to issue an ldap modify command to any existing LDAP entry in the tree and edit or add only the existing object classes connected to that entry in the tree. All Applications except OpenLDAP do this to avoid running a foul an Object Class Constraint Violation. eGroupware 1.8 reads the entire entry into a temporary space, makes changes in that space, then issues a drop command to delete the entire entry, then an add command to add a new entry with its changes. If for any reason a constraint violation or an object class violation occurs, the new entry won't be re-added, and eGroupware will error out. ACLs in both modern versions of OpenLDAP and Samba 4.1 can run a foul of this. Reccommended action is to import the Suse eGroupware Packages and Rosa Horde Packages.
Still an issue. Please use Packages from Rosa Linux 2014.1
It has been so long since this package has been updated, that eGroupware 16.1 has been released.
Summary: eGroupware 14.1 needs Packaging due to Samba 4 bugs. => eGroupware 16.1 needs Packaging due to LDAP bugs.
Stored XSS vulnerability in eGroupware Community Edition before 16.1.20170922 allows an unauthenticated remote attacker to inject JavaScript via the User-Agent HTTP header, which is mishandled during rendering by the application administrator.
CVE: (none) => CVE-2017-14920URL: (none) => https://nvd.nist.gov/vuln/detail/CVE-2017-14920Component: RPM Packages => SecurityWhiteboard: MGA4TOO MGA5TOO => MGA7TOOQA Contact: (none) => security
Please pull from Rosa on this matter. They have a substantially updated SPEC File for this App. This app in it's current state must be updated to conform to the demands of PHP 7.0
Source RPM: egroupware => egroupware-1.8.007.20140506-11.mga8.src
where are the specs files from them ? so i can take a look.
The newest I see out there is alt-linux: .config/mib-report/sisyphus.txt:http://mirror.yandex.ru/altlinux/Sisyphus/files/SRPMS/egroupware-19.1.20200430-alt1.src.rpm opensuse doesn't have it. It looks like ROSA's package is unmaintained and bitrotting, it's over three years old.
question: Do we keep it ?
It's a webapp that has been unmaintained for several years in Mageia. Let's drop it.
This application is one of my most Critical systems. I have to handle it out of tree because the package is not maintained.
Looking at ROSA's spec file provides a basis for a very simple setup script for this software, so it's a good candidate for dropping.
removing from mageia 8
Status: NEW => RESOLVEDResolution: (none) => FIXED