Bug 1738 - eGroupware is out of date and missing dependencies
: eGroupware is out of date and missing dependencies
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Contributed Packages
: Marathon
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-01 12:29 MSK by Zombie Ryushu
Modified: 2013-03-01 14:59 MSK (History)
1 user (show)

See Also:
RPM Package: egroupware
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2013-03-01 12:29:41 MSK
The version of eGroupware included in Rosa 2012 Marathon (1.8.001) is out of date when compared against the current version (1.8.004). This leaves open several un-patched security holes, including a severe XSS one

Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php.

In addition, there are several unmet dependencies that are not configured by eGroupware that are required.

php-zip must be installed.
php-pear's XML Feed Parser must be installed

And in php.ini mbstring.func_overload = 7: ini_get('mbstring.func_overload')='7' must be done for eGroupware to function correctly.
Comment 1 Denis Silakov 2013-03-01 13:54:45 MSK
The package is updated to 1.8.004.20120423, but other issues are not touched yet.
Comment 2 Zombie Ryushu 2013-03-01 14:39:05 MSK
All you have to do is add these things to the Requires section.
Comment 3 Denis Silakov 2013-03-01 14:59:02 MSK
Dependencies are updated, as well.