From: Ralf B. <rb...@st...> - 2010-03-26 10:56:35
|
With 1.6.003 some annoying bugs slipped through, which we now fixed with updated 1.6.003-2 packages. Please note: * SyncML application now needs to be enabled for a user or group like all other applications. Otherwise all SyncML access will fail! * you always need to install at least *two* packages: eGroupware and eGroupware-egw-pear (this is for license reasons and was always that way) * updated RPM packages use version 1.6.003-15.1 (not 1.6.003-2)! * *NEW* repository for Debian or Ubuntu is available now, see www.egroupware.org/download for details All package types are available via our download page: http://www.egroupware.org/download Update instructions are available via the setup manual pages: http://www.egroupware.org/wiki/ManualSetupUpdate ==> We recommend everyone updates to 1.6.003-2 Ralf Ralf Becker schrieb: > The new release fixes 2 serious security problems, many bugs and > implements SyncML 1.2 > > Nahuel Grisolia from CYBSEC S.A. Security Systems found two security > problems in EGroupware: > > * one is a serious remote command execution (allowing to run > arbitrary command on the web server by simply issuing a HTTP request!). > * the other a reflected cross-site scripting (XSS). > * both require NO valid EGroupware account and work without being > logged in! > > Vulnerable are all EGroupware version incl. 1.4.001+.002, 1.6.001+.002 > and the commercial EPL versions 9.1+9.2! > > The problem is fixed in EGroupware's SVN (for 1.4, 1.6 and trunk) and > there will be a coordinated release of a new EGroupware version 1.6.003 > by Stylite GmbH / EGroupware project and publication of the exploits by > CYBSEC S.A. on March 9th. > > ==> WE RECOMMEND EVERYONE UPDATES AS SOON AS POSSIBLE! > > The security fixes are also included in the commercial EGroupware > version (http://www.stylite.de/EPL) EPL 9.1.20100309 and 9.2.20100309. > > 1.6.003 does much more then fixing the above security problems: > > * implements SyncML 1.2 support and many SyncML fixes > * lots of bugs fixed since the release of 1.6.002 > * for more information about bugfixes, see our changelog: > http://www.egroupware.org/changelog > > All package types are available via our download page: > http://www.egroupware.org/download > > Update instructions are available via the setup manual pages: > http://www.egroupware.org/wiki/ManualSetupUpdate > > Ralf -- Ralf Becker Director Software Development Stylite GmbH [open style of IT] Morschheimer Strasse 15 67292 Kirchheimbolanden fon +49 (0) 6352 70629-0 fax +49 (0) 6352 70629-30 mailto: rb...@st... www.stylite.de www.egroupware.org ________________________________________________ Geschäftsführer Andre Keller, Gudrun Müller, Ralf Becker Registergericht Kaiserslautern HRB 30575 Umsatzsteuer-Id / VAT-Id: DE214280951 |