wilde: doc/www/src/security kolab-vendor-notice-27.txt,NONE,1.1
cvs at kolab.org
cvs at kolab.org
Fri Jan 15 18:16:47 CET 2010
Author: wilde
Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv16883
Added Files:
kolab-vendor-notice-27.txt
Log Message:
Added advisory 27.
--- NEW FILE: kolab-vendor-notice-27.txt ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kolab Security Issue 27 20100115
================================
Package: Kolab Server, Kolab Web Admin
Vulnerability: Users can not change their password
Kolab Specific: yes
Dependent Packages: none
Summary
~~~~~~~
The Kolab Web Admin interface allows Kolab users to manipulate some of
their user data using a web browser. Most importantly it enables
users to change their passwords.
In the kolab-webadmin package shipped with Kolab Server release 2.2.3,
the web admin interface fails to save changed user data (an LDAP error
is issued).
Affected Versions
~~~~~~~~~~~~~~~~~
This affects version 2.2.3-20091217 of kolab-webadmin.
Kolab Server 2.2.3 is affected.
Fix
~~~
Update your kolab-webadmin package:
OpenPKG packages for Kolab Server 2.2.3 are available from
https://files.kolab.org/server/security-updates/20100115/
or from the mirrors listed on http://kolab.org/mirrors.html
A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Lenny)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian5.0-kolab.rpm
A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Etch)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian4.0-kolab.rpm
You can check the integrity of the downloaded files with:
$ gpg --keyserver keys.gnupg.net --recv-key 4BB86568
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS
The source package can be compiled and installed on your Kolab Server with:
# su - kolab
$ openpkg rpm --rebuild ...path/to.../kolab-webadmin-2.2.3-20100115.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/kolab-webadmin-2.2.3-20100115.<ARCH>-<OS>-kolab.rpm
To install a binary package, just skip the --rebuild step.
Details
~~~~~~~
https://issues.kolab.org/issue4025
Bug report in the official kolab issue tracker.
Timeline
~~~~~~~~
20100103 First report per private mail
20100112 Public problem report
20100115 Updated kolab-webadmin package available and Kolab Server
security advisory published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAktQok8ACgkQuyGFFEu4ZWigJQCgmbCIEGW28/dyWDHvXVGI2TP9
fK0An3nFwtGhQsD/M4Kl6XLh2LR8PFi9
=HSEu
-----END PGP SIGNATURE-----
More information about the commits
mailing list