EGroupware 1.6.003 security and bugfix release

Ralf_Becker_Stylite 2010-03-08 22:06:04 UTC #1

The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:

* one is a serious remote command execution (allowing to run

arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:

* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog

All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf

Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de

www.stylite.de
www.egroupware.org

Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

ChristophK 2010-03-09 08:32:06 UTC #2

Hello,

thanks a lot for all the work, Jörg has done a lot of things around Groupdav,
as I have tested Caldav seems to work now for infolog. Is there some
information about the changes somewhere?

Christoph

The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Ralf_Becker_Stylite 2010-03-09 10:28:47 UTC #3

Hi Christoph,

some is in the changelog: www.egroupware.org/changelog

Mac addressbook is working for example now with EGroupware 1.6.003,
trunk or EPL 9.2.

Maybe Joerg can elaborate a bit more about the changes.

Ralf

Christoph Kaulich schrieb:

Hello,

thanks a lot for all the work, Jörg has done a lot of things around Groupdav,
as I have tested Caldav seems to work now for infolog. Is there some
information about the changes somewhere?

Christoph
The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

–
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de

www.stylite.de
www.egroupware.org

Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Hans-Jurgen_Tappe 2010-03-09 13:17:56 UTC #4

Hi Ralf!

Can you please add a new BIG hint on the lists that all devices should be
synced before the upgrade and also a full sync should be performed after
the upgrade in order to avoid duplicates?

See Christian’s mail "IMPORTANT NOTE FOR ALL SYNCML USERS. PLEASE READ!"
from 03.02.2010 19:18

… just to avoid too many support cases…

Thanks a lot,
Hans-Jürgen

Ralf Becker schrieb:

The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Joerg_de_la_Haye 2010-03-09 14:50:41 UTC #5

Hello Christoph,

thanks a lot for all the work, Jörg has done a lot of things around Groupdav,
as I have tested Caldav seems to work now for infolog. Is there some
information about the changes somewhere?

Which client did you use for testing infolog via Caldav? I’ve tested it using Lightning and it didn’t work.

Joerg

ketzaldev 2010-03-09 20:22:27 UTC #6

Hi all

I’d like to thanks all the team for the really good work you do. I’m using EGW since 1.6, and I upgraded this evening to 1.6.003 without any troubles.

Good luck, and thanks again

Ketzaldev

jaytraxx 2010-03-09 20:32:44 UTC #7

Hi Hans-Jürgen,

thx for thinking my thoughts. I just wanted to drop the Stylite team a
mail but you’ve been faster

Greetings
christian

Hans-Juergen Tappe schrieb:

Hi Ralf!

Can you please add a new BIG hint on the lists that all devices should be
synced before the upgrade and also a full sync should be performed after
the upgrade in order to avoid duplicates?

See Christian’s mail "IMPORTANT NOTE FOR ALL SYNCML USERS. PLEASE READ!"
from 03.02.2010 19:18

… just to avoid too many support cases…

Thanks a lot,
Hans-Jürgen

Ralf Becker schrieb:
The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

zorg 2010-03-09 21:52:02 UTC #8

Hello
first at all I want to thanks you about this new release and the
security fix

and I have a question
I thought that 1.6.003 would include all the stuff implement in the
patch http://k.noc.de/index.php?option=com_content&view=article&id=6

but all the setting preferences for the syncml doesn’t seem to be
present (egrouware/syncml/inc/hook_settings.inc.php)

Does this functionnality be add later , is it a choice to not implement
or is it me who is missing something

cyril

Christoph Kaulich a écrit :

Hello,

thanks a lot for all the work, Jörg has done a lot of things around Groupdav,
as I have tested Caldav seems to work now for infolog. Is there some
information about the changes somewhere?

Christoph
The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

zorg 2010-03-13 10:58:58 UTC #9

Hello
I’m sad there is no developer that have time to answer my question
because for me this functunality was nice to help configure stuff for
syncml so I’ll very interest to know why you removed this

thanks

zorg a écrit :

Hello
first at all I want to thanks you about this new release and the
security fix

and I have a question
I thought that 1.6.003 would include all the stuff implement in the
patch http://k.noc.de/index.php?option=com_content&view=article&id=6

but all the setting preferences for the syncml doesn’t seem to be
present (egrouware/syncml/inc/hook_settings.inc.php)

Does this functionnality be add later , is it a choice to not implement
or is it me who is missing something

cyril

Christoph Kaulich a écrit :
Hello,

thanks a lot for all the work, Jörg has done a lot of things around Groupdav,
as I have tested Caldav seems to work now for infolog. Is there some
information about the changes somewhere?

Christoph
The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

zorg 2010-03-13 21:19:54 UTC #10

hello
Sorry to post annoying mail, I’m just to stupid to look correctly the code

so I just apologize for my recent post

Everything is there, so now, I’ll hope i could continue improve and
test Egroupware and syncml

zorg a écrit :

Hello
I’m sad there is no developer that have time to answer my question
because for me this functunality was nice to help configure stuff for
syncml so I’ll very interest to know why you removed this

thanks

zorg a écrit :
Hello
first at all I want to thanks you about this new release and the
security fix

and I have a question
I thought that 1.6.003 would include all the stuff implement in the
patch http://k.noc.de/index.php?option=com_content&view=article&id=6

but all the setting preferences for the syncml doesn’t seem to be
present (egrouware/syncml/inc/hook_settings.inc.php)

Does this functionnality be add later , is it a choice to not implement
or is it me who is missing something

cyril

Christoph Kaulich a écrit :
Hello,

thanks a lot for all the work, Jörg has done a lot of things around Groupdav,
as I have tested Caldav seems to work now for infolog. Is there some
information about the changes somewhere?

Christoph
The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Ralf_Becker_Stylite 2010-03-26 10:56:26 UTC #11

With 1.6.003 some annoying bugs slipped through, which we now fixed with
updated 1.6.003-2 packages.

Please note:

SyncML application now needs to be enabled for a user or group like
all other applications. Otherwise all SyncML access will fail!
you always need to install at least two packages: eGroupware and
eGroupware-egw-pear (this is for license reasons and was always that way)
updated RPM packages use version 1.6.003-15.1 (not 1.6.003-2)!
NEW repository for Debian or Ubuntu is available now, see
www.egroupware.org/download for details

All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

==> We recommend everyone updates to 1.6.003-2

Ralf

Ralf Becker schrieb:

The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf

–
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de

www.stylite.de
www.egroupware.org

Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers

Andrea_Netmail 2010-03-26 12:47:47 UTC #12

Thanks!!

-----Messaggio originale-----
Inviato: venerdì 26 marzo 2010 11:56
of users for users of eGroupWare; development of eGroupWare, for active
developers; egroupware-german@lists.sourceforge.net
release

With 1.6.003 some annoying bugs slipped through, which we now fixed with
updated 1.6.003-2 packages.

Please note:

SyncML application now needs to be enabled for a user or group like
all other applications. Otherwise all SyncML access will fail!
you always need to install at least two packages: eGroupware and
eGroupware-egw-pear (this is for license reasons and was always that way)
updated RPM packages use version 1.6.003-15.1 (not 1.6.003-2)!
NEW repository for Debian or Ubuntu is available now, see
www.egroupware.org/download for details

All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

==> We recommend everyone updates to 1.6.003-2

Ralf

Ralf Becker schrieb:

The new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2

Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!

Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!

The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.

==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!

The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.

1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
  http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download

Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate

Ralf

–
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de

www.stylite.de
www.egroupware.org

Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

–
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers