Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?]

[Olivier Berger]

Thanks for this confirmation Dave.

I'll take care of the next steps with the Debian security team.

Just a comment, on such security-wise issues, I think it would be safer
to use GPG signe messages, just for added security.


Also, see more comments bellow.

Best regards,

Le jeudi 27 mars 2008 à 10:45 +0000, Dave Hall a écrit :
> Hi Olivier,
> 
> I thought I would reply publicly here in addition to my email last night
> my time.
> 

SNIP

> Just so people are clear CVE-2007-4048 was not exploitable when running
> phpsysinfo from within phpGroupWare.

Good news. Dunno if this is possible, but there are lots of reference to
that security problem in phpgroupware that may be worth tracking and
signaling as not accurate.

>   In 0.9.16.012 you got an updated
> (and more secure) version of phpsysinfo.
> 

That wouldn't hurt for sure ;)

> > Btw, if there's a security related list, it may be worth being on board
> > as soon as possible to be able to prepare patchs and so on for the
> > Debian package...
> 
> There isn't such a list.  What I usually try to grab our packagers to
> let them know what is happening in advance - by a couple of hours.  I am
> happy to try to provide security only patches on request, or give you a
> list of svn revision/s to grab.
> 

At the moment, is there such a list concerning 0.9.16.012 ? ... or at
least fixes not related to security on that branch (I've seen a couple,
I think).

Best regards,
-- 
Olivier BERGER <address@hidden> (*NEW ADDRESS*)
http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM / TELECOM & Management SudParis
(http://www.it-sudparis.eu/), Evry