Mandriva Linux Security Advisory 2015-087 - eGroupware prior to 1.8.006.20140217 is vulnerable to remote file deletion and possible remote code execution due to user input being passed to PHP's unserialize() method. eGroupWare before 1.8.007 allows logged in users with administrative privileges to remotely execute arbitrary commands on the server. It is also vulnerable to a cross site request forgery vulnerability that allows creating new administrative users.
574fe6d4c54586156bb4f27078d034bf2e81e5dc942e3eff6ea39230993dfeca-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2015:087
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : egroupware
Date : March 28, 2015
Affected: Business Server 2.0
_______________________________________________________________________
Problem Description:
Updated egroupware packages fix security vulnerabilities:
eGroupware prior to 1.8.006.20140217 is vulnerable to remote file
deletion and possible remote code execution due to user input being
passed to PHP's unserialize() method (CVE-2014-2027).
eGroupWare before 1.8.007 allows logged in users with administrative
priviledges to remotely execute arbitrary commands on the server.
It is also vulnerable to a cross site request forgery vulnerability
that allows creating new administrative users.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2027
http://advisories.mageia.org/MGASA-2014-0116.html
http://advisories.mageia.org/MGASA-2014-0221.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 2/X86_64:
cf4a9bb8ef30cf74a7e8104eaed1e5ea mbs2/x86_64/egroupware-1.8.007.20140506-1.mbs2.noarch.rpm
7d471a1f7934338d9c17c39aed046a92 mbs2/x86_64/egroupware-bookmarks-1.8.007.20140506-1.mbs2.noarch.rpm
bca49e4c9f90170d049e0f573736553f mbs2/x86_64/egroupware-calendar-1.8.007.20140506-1.mbs2.noarch.rpm
3195fb6185b0db015c68eeed25391fea mbs2/x86_64/egroupware-developer_tools-1.8.007.20140506-1.mbs2.noarch.rpm
e9f33f46b78933cc7c7c054be6f1bc18 mbs2/x86_64/egroupware-egw-pear-1.8.007.20140506-1.mbs2.noarch.rpm
8298f11458f4d6ab41a76842990c9b88 mbs2/x86_64/egroupware-emailadmin-1.8.007.20140506-1.mbs2.noarch.rpm
8395d7c10874355e37d93af463a912c0 mbs2/x86_64/egroupware-felamimail-1.8.007.20140506-1.mbs2.noarch.rpm
79b36d573ccaedd8ad098054d6ac662f mbs2/x86_64/egroupware-filemanager-1.8.007.20140506-1.mbs2.noarch.rpm
e931484776456c96ad3f7c2a98991904 mbs2/x86_64/egroupware-gallery-1.8.007.20140506-1.mbs2.noarch.rpm
0e6028e764cfcbe9adc7e2d429e1bcfa mbs2/x86_64/egroupware-importexport-1.8.007.20140506-1.mbs2.noarch.rpm
4026fb77115740ac83b194b4051fec80 mbs2/x86_64/egroupware-infolog-1.8.007.20140506-1.mbs2.noarch.rpm
95d30157cd8d0cbf6c65442ad20e26ae mbs2/x86_64/egroupware-manual-1.8.007.20140506-1.mbs2.noarch.rpm
f9f5395813df6b06711304342fcbbd43 mbs2/x86_64/egroupware-news_admin-1.8.007.20140506-1.mbs2.noarch.rpm
5e67c67c9fd0eb7308d6f268ac8506ab mbs2/x86_64/egroupware-notifications-1.8.007.20140506-1.mbs2.noarch.rpm
921e180cc7b2c6d2de58e2b5dc877a2f mbs2/x86_64/egroupware-phpbrain-1.8.007.20140506-1.mbs2.noarch.rpm
bf3d6323441283889833de12eda53b1a mbs2/x86_64/egroupware-phpsysinfo-1.8.007.20140506-1.mbs2.noarch.rpm
675ea8d94c058a0c048b0784128f3bc1 mbs2/x86_64/egroupware-polls-1.8.007.20140506-1.mbs2.noarch.rpm
4488bb434ff2cee958198a62cd75915d mbs2/x86_64/egroupware-projectmanager-1.8.007.20140506-1.mbs2.noarch.rpm
b1af84b4ee06f528c1bbb2026a1371c5 mbs2/x86_64/egroupware-registration-1.8.007.20140506-1.mbs2.noarch.rpm
5a4b0422fcf415cf7dbb67677aea4e69 mbs2/x86_64/egroupware-sambaadmin-1.8.007.20140506-1.mbs2.noarch.rpm
8ad55477e0043a97b98c312f996e1b89 mbs2/x86_64/egroupware-sitemgr-1.8.007.20140506-1.mbs2.noarch.rpm
0995e8539c804e5146da0e75d7a26031 mbs2/x86_64/egroupware-syncml-1.8.007.20140506-1.mbs2.noarch.rpm
6f4a523abe8818c71327896b1e212326 mbs2/x86_64/egroupware-timesheet-1.8.007.20140506-1.mbs2.noarch.rpm
6b309a26af38d62d817558e0658e3426 mbs2/x86_64/egroupware-tracker-1.8.007.20140506-1.mbs2.noarch.rpm
dbdfa7fa5e27ea271d6addd9b52acfa8 mbs2/x86_64/egroupware-wiki-1.8.007.20140506-1.mbs2.noarch.rpm
c8da1009e22f6018fd784fc18aa63651 mbs2/SRPMS/egroupware-1.8.007.20140506-1.mbs2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFVFmNDmqjQ0CJFipgRAtHlAKCtdE8cImMGN1YVYOmTaAd42jXNrQCgjOhw
XKQ6enfHyzG4jrDO2ndwLyg=
=0Ip3
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed