phpgroupware-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES

From: Dave Hall
Subject: Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES
Date: Fri, 04 Jul 2003 19:26:11 +1000 
Olivier Berger <address@hidden> wrote:

> Le jeu 03/07/2003 à 10:15, Dave Hall a écrit :
> > Hi all,
> > 
> > Please be aware there is minor security advisory for phpgw.  See
> > http://www.security-corporation.co for more
> > info.
> > 
> > There is also a vfs security patch also.  This prevents the vfs path
> > being in the document root, which has been exploited in other 
> php based
> > groupware suites.
> > 
> > We have fixed this in cvs for all branches (14, 16preRC and 
> HEAD).  This
> > affects all previous versions of phpgroupare.  We will be releasing
> > packaged releases in about 12hours.
> > 
> 
> I've tried and check what is necessary to apply to correct these bugs,
> and made a diff against 0.9.14.003, and there seems to be more than
> juste security patches...

Yes, there are various bug fixes also.  There are no database changes or
new features included in this release.  0.9.14.003 required a minor db
change to correct a major bug.  As a general rule only bug fixes are
included in .00x increment releases.

> 
> Is there any details ChangeLog, and specific detail of patches 
> that may
> be necessary to correct only the security issues (and maybe links to
> bugs numbers, etc.) ?

There were no formal bug reports filed for these items.  I would
strongly recommend a full update so you get the bug fixes also.

> 
> For instance if applying a patch is easier than simply deploying a
> complete new version, that may be more convenient for some...

It is pretty straight forward to update your install.

Firstly backup your database and your install dir - same for applying a
patch :)

cd /path/to/phpgroupware
cvs update -dPC

Note: the C will do a clean update, so any modified files will be moved
to .#filename.  If you have modified files use -dP instead.

As stated in the release annoucement, we will not be providing support
for previous version of phpGW.  This decision was taken after some
consultation between the active contributors to the project, it was felt
that the security issues warranted all users upgrading ASAP.

Cheers

Dave

> 
> Thanks in advance.
> 
> Best regards,
> -- 
> Olivier BERGER <address@hidden>
> Ingénieur Recherche - Dept INF
> INT Evry (http://www.int-evry.fr)
> OpenPGP-Id: 1024D/6B829EEC
> 
> 
> 
> 
> _______________________________________________
> Phpgroupware-developers mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>

Attachment: dave.hall.vcf
Description: Card for <dave.hall@mbox.com.au>

reply via email to
[Prev in Thread] Current Thread [Next in Thread]