ROSA Linux Bugzilla – Bug 1738
eGroupware is out of date and missing dependencies
Last modified: 2013-03-01 14:59:02 MSK
The version of eGroupware included in Rosa 2012 Marathon (1.8.001) is out of date when compared against the current version (1.8.004). This leaves open several un-patched security holes, including a severe XSS one
Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php.
In addition, there are several unmet dependencies that are not configured by eGroupware that are required.
php-zip must be installed.
php-pear's XML Feed Parser must be installed
And in php.ini mbstring.func_overload = 7: ini_get('mbstring.func_overload')='7' must be done for eGroupware to function correctly.
The package is updated to 1.8.004.20120423, but other issues are not touched yet.
All you have to do is add these things to the Requires section.
Dependencies are updated, as well.