Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?]

[Dave Hall]

On Thu, 2008-03-27 at 13:13 +0100, Olivier Berger wrote:
> Thanks for this confirmation Dave.
> 
> I'll take care of the next steps with the Debian security team.
> 
> Just a comment, on such security-wise issues, I think it would be safer
> to use GPG signe messages, just for added security.
> 

That would require me to brute force the pass phrase on my gpg key

> 
> Also, see more comments bellow.

ditto

> > Just so people are clear CVE-2007-4048 was not exploitable when running
> > phpsysinfo from within phpGroupWare.
> 
> Good news. Dunno if this is possible, but there are lots of reference to
> that security problem in phpgroupware that may be worth tracking and
> signaling as not accurate.

We got on those lists thanks to Debian saying we were venerable and us
pushing a release.  The debian security team wanted it fixed
"yesterday", so I did my best.  Yes I should have verified it, but you
assume they had done their homework before complaining so loudly.


> > There isn't such a list.  What I usually try to grab our packagers to
> > let them know what is happening in advance - by a couple of hours.  I am
> > happy to try to provide security only patches on request, or give you a
> > list of svn revision/s to grab.
> > 
> 
> At the moment, is there such a list concerning 0.9.16.012 ? ... or at
> least fixes not related to security on that branch (I've seen a couple,
> I think).

The list is in my sent items folder :)  As for what is/isn't security
related in 0.9.16.x - everything added since 0.9.16.012 isn't security
related AFAIK.

Cheers

Dave