-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA 747-1                   security@debian.org
http://www.debian.org/security/                            Michael Stone
July 10, 2005                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : egroupware
Vulnerability  : remote command execution
Problem type   : input validation error
Debian-specific: no
CVE Id(s)      : CAN-2005-1921

A vulernability has been identified in the xmlrpc library included in
the egroupware package. This vulnerability could lead to the execution
of arbitrary commands on the server running egroupware.

The old stable distribution (woody) did not include egroupware.

For the current stable distribution (sarge), this problem is fixed in
version 1.0.0.007-2.dfsg-2sarge1.

For the unstable distribution (sid), this problem is fixed in version
1.0.0.007-3.dfsg-1.

We recommend that you upgrade your egroupware package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian 3.1 (sarge)
- ------------------

  sarge was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.

  Source archives:

    http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg.orig.tar.gz
      Size/MD5 checksum: 12699187 462f5ea377c4d0c04f16ffe8037b9d6a
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge1.diff.gz
      Size/MD5 checksum:    33321 2ae91aca7f89d1f3d5f725fa09384ed8
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge1.dsc
      Size/MD5 checksum:     1285 1849e8a4639068df7ac9f8f72272ef86

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/e/egroupware/egroupware_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:     4212 6edb07699896314d8c0ce641e2228cc5
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-forum_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    51144 e611af77c5bd0c4b75cd9227ca50e115
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-ftp_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    37840 78e388f8967593e544992cc18fc47096
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-sitemgr_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   486306 ff7956754ab17b48938bc290171ab6c6
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-jinn_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   204810 0f4c3f9ce74980dc5102bbabb2909b49
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-stocks_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    26322 88c9d54ae0e23842f0b59b3cdc3de55f
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-news-admin_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    50530 d9407cff76325b2e597d30b16b55f35b
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-emailadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    37916 a0c6fc6f8c2138e8377dc24933a45772
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-addressbook_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   148770 d96b5a43c0a29dd8dbc13d001831a45c
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-phpsysinfo_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   115750 d94de6dbaf9135a6fb45a1f01ffc09f4
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-manual_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    17100 2b837171f92886b79dab136b4cbed1b0
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-filemanager_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   172670 e35d2a3af12432147711a39e31d0a194
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-tts_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    92442 a1e6eacb42d3cf26bc2fe22086ee2332
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-comic_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   255838 b00219a9f18f65b56cde18564dbcdfc6
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-fudforum_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:  1486218 7b8b470bf2a5f2279a322723ff74d031
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-infolog_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   202082 ef4836ce08f0edfba3d7d2dee6f13225
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-bookmarks_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   124930 bfdacc1755efb6e43133808bf77a1200
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-phpbrain_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   119060 6588409cc9526dca31479a4d1a464cb6
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-core_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:  3771642 078dcb7065c3ced38e7e837d15003dde
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-messenger_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    31966 3f1306aa4e31ce8518a967d5b6c8de23
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-etemplate_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:  1363034 bdc3797f41136a032488e458e090b729
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-calendar_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   382010 4725c5ad39c9abf8ab116f8a5dd0bb57
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-headlines_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    74732 2a08f46a7af3a0084426e317ffacf083
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-ldap_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:     6942 2504ff9fa488181edfd5484ebab583b0
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-wiki_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    92404 18e426330d98178d6acf7b1f04e7a616
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-email_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:  1243590 14104d7117c1ddcfe4013e64cdf4f427
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-projects_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   302036 275669f1b8eae13a4fa091423506aa65
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-phpldapadmin_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   139354 664038c40ad93e64daf975e5e50d3550
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-felamimail_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:   275144 361b4166509e4dd861c907c2f9f846f5
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-polls_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    35878 069b89e524f57fff58dfa91e19380ee0
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-registration_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    99618 264116d3f03eddeae48e2ac1b5e74bb0
    http://security.debian.org/pool/updates/main/e/egroupware/egroupware-developer-tools_1.0.0.007-2.dfsg-2sarge1_all.deb
      Size/MD5 checksum:    53220 de815addc18f090c263b582db7025af3

- -------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQCVAwUBQtFdYg0hVr09l8FJAQJn5QP/W3BxmQKGz9C7u9zG7G9kTgO8lmZSy99E
98nwM3puUkDU5na4Mx3OSiNJ/RsNP/8PwwRVhX/CCQ8n4e+BloX9zCfY1TGFKZI9
BYFU00zrRGjOXyJ0ulHtIhaXcLiGJsxvfVcC5jQkvuzJhqirewc24uZu3gmoEJw7
7l4KF2r8Gts=
=rdLU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/