[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685:
From: |
Dave Hall |
Subject: |
Re: [phpGroupWare-developers] SECURITY - URGENT ? [Fwd: Re: Bug#472685: phpgroupware-phpsysinfo: [CVE-2007-4048] XSS vulnerability, still no fix provided for stable/etch ?] |
Date: |
Thu, 27 Mar 2008 12:24:13 +0000 |
On Thu, 2008-03-27 at 13:13 +0100, Olivier Berger wrote:
> Thanks for this confirmation Dave.
>
> I'll take care of the next steps with the Debian security team.
>
> Just a comment, on such security-wise issues, I think it would be safer
> to use GPG signe messages, just for added security.
>
That would require me to brute force the pass phrase on my gpg key
>
> Also, see more comments bellow.
ditto
> > Just so people are clear CVE-2007-4048 was not exploitable when running
> > phpsysinfo from within phpGroupWare.
>
> Good news. Dunno if this is possible, but there are lots of reference to
> that security problem in phpgroupware that may be worth tracking and
> signaling as not accurate.
We got on those lists thanks to Debian saying we were venerable and us
pushing a release. The debian security team wanted it fixed
"yesterday", so I did my best. Yes I should have verified it, but you
assume they had done their homework before complaining so loudly.
> > There isn't such a list. What I usually try to grab our packagers to
> > let them know what is happening in advance - by a couple of hours. I am
> > happy to try to provide security only patches on request, or give you a
> > list of svn revision/s to grab.
> >
>
> At the moment, is there such a list concerning 0.9.16.012 ? ... or at
> least fixes not related to security on that branch (I've seen a couple,
> I think).
The list is in my sent items folder :) As for what is/isn't security
related in 0.9.16.x - everything added since 0.9.16.012 isn't security
related AFAIK.
Cheers
Dave