[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES
From: |
Dave Hall |
Subject: |
Re: [Phpgroupware-developers] PHPGW - SECURITY WARNING ALL BRANCHES |
Date: |
Fri, 04 Jul 2003 19:26:11 +1000 |
Olivier Berger <address@hidden> wrote:
> Le jeu 03/07/2003 à 10:15, Dave Hall a écrit :
> > Hi all,
> >
> > Please be aware there is minor security advisory for phpgw. See
> > http://www.security-corporation.co for more
> > info.
> >
> > There is also a vfs security patch also. This prevents the vfs path
> > being in the document root, which has been exploited in other
> php based
> > groupware suites.
> >
> > We have fixed this in cvs for all branches (14, 16preRC and
> HEAD). This
> > affects all previous versions of phpgroupare. We will be releasing
> > packaged releases in about 12hours.
> >
>
> I've tried and check what is necessary to apply to correct these bugs,
> and made a diff against 0.9.14.003, and there seems to be more than
> juste security patches...
Yes, there are various bug fixes also. There are no database changes or
new features included in this release. 0.9.14.003 required a minor db
change to correct a major bug. As a general rule only bug fixes are
included in .00x increment releases.
>
> Is there any details ChangeLog, and specific detail of patches
> that may
> be necessary to correct only the security issues (and maybe links to
> bugs numbers, etc.) ?
There were no formal bug reports filed for these items. I would
strongly recommend a full update so you get the bug fixes also.
>
> For instance if applying a patch is easier than simply deploying a
> complete new version, that may be more convenient for some...
It is pretty straight forward to update your install.
Firstly backup your database and your install dir - same for applying a
patch :)
cd /path/to/phpgroupware
cvs update -dPC
Note: the C will do a clean update, so any modified files will be moved
to .#filename. If you have modified files use -dP instead.
As stated in the release annoucement, we will not be providing support
for previous version of phpGW. This decision was taken after some
consultation between the active contributors to the project, it was felt
that the security issues warranted all users upgrading ASAP.
Cheers
Dave
>
> Thanks in advance.
>
> Best regards,
> --
> Olivier BERGER <address@hidden>
> Ingénieur Recherche - Dept INF
> INT Evry (http://www.int-evry.fr)
> OpenPGP-Id: 1024D/6B829EEC
>
>
>
>
> _______________________________________________
> Phpgroupware-developers mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/phpgroupware-developers
>
dave.hall.vcf
Description: Card for <dave.hall@mbox.com.au>