TThe new release fixes 2 serious security problems, many bugs and
implements SyncML 1.2
Nahuel Grisolia from CYBSEC S.A. Security Systems found two security
problems in EGroupware:
* one is a serious remote command execution (allowing to run
arbitrary command on the web server by simply issuing a HTTP request!).
* the other a reflected cross-site scripting (XSS).
* both require NO valid EGroupware account and work without being
logged in!
Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002
and the commercial EPL versions 9.1+9.2!
The problem is fixed in EGroupware’s SVN (for 1.4, 1.6 and trunk) and
there will be a coordinated release of a new EGroupware version 1.6.003
by Stylite GmbH / EGroupware project and publication of the exploits by
CYBSEC S.A. on March 9th.
==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE!
The security fixes are also included in the commercial EGroupware
version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309.
1.6.003 does much more then fixing the above security problems:
* implements SyncML 1.2 support and many SyncML fixes
* lots of bugs fixed since the release of 1.6.002
* for more information about bugfixes, see our changelog:
http://www.egroupware.org/changelog
All package types are available via our download page:
http://www.egroupware.org/download
Update instructions are available via the setup manual pages:
http://www.egroupware.org/wiki/ManualSetupUpdate
–
Stylite GmbH
Morschheimer Strasse 15 | D-67292 Kirchheimbolanden | Germany
fon +49 (0)6352 70629-0 | fax +49 (0)6352 70629-30
mailinfo@stylite.de
www.stylite.de
Bank: Stadtsparkasse Kaiserslautern | BLZ 540 501 10 | Konto-Nr. 334 235
IBAN DE87 5405 0110 0000 3342 35 | SWIFT MALADE51KLS | UST-ID: DE214280951
