wilde: doc/www/src/security kolab-vendor-notice-27.txt,NONE,1.1

cvs at kolab.org cvs at kolab.org
Fri Jan 15 18:16:47 CET 2010 

Author: wilde

Update of /kolabrepository/doc/www/src/security
In directory doto:/tmp/cvs-serv16883

Added Files:
	kolab-vendor-notice-27.txt 
Log Message:
Added advisory 27.


--- NEW FILE: kolab-vendor-notice-27.txt ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kolab Security Issue 27 20100115
================================

Package:              Kolab Server, Kolab Web Admin
Vulnerability:        Users can not change their password
Kolab Specific:       yes
Dependent Packages:   none


Summary
~~~~~~~

The Kolab Web Admin interface allows Kolab users to manipulate some of
their user data using a web browser.  Most importantly it enables
users to change their passwords.

In the kolab-webadmin package shipped with Kolab Server release 2.2.3,
the web admin interface fails to save changed user data (an LDAP error
is issued).


Affected Versions
~~~~~~~~~~~~~~~~~

This affects version 2.2.3-20091217 of kolab-webadmin.
Kolab Server 2.2.3 is affected.


Fix
~~~

Update your kolab-webadmin package:

OpenPKG packages for Kolab Server 2.2.3 are available from
https://files.kolab.org/server/security-updates/20100115/
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Lenny)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Etch)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian4.0-kolab.rpm

You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 4BB86568
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS

The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild ...path/to.../kolab-webadmin-2.2.3-20100115.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/kolab-webadmin-2.2.3-20100115.<ARCH>-<OS>-kolab.rpm	

To install a binary package, just skip the --rebuild step.


Details
~~~~~~~

https://issues.kolab.org/issue4025
	Bug report in the official kolab issue tracker.


Timeline
~~~~~~~~
    20100103 First report per private mail
    20100112 Public problem report
    20100115 Updated kolab-webadmin package available and Kolab Server
             security advisory published.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktQok8ACgkQuyGFFEu4ZWigJQCgmbCIEGW28/dyWDHvXVGI2TP9
fK0An3nFwtGhQsD/M4Kl6XLh2LR8PFi9
=HSEu
-----END PGP SIGNATURE-----

More information about the commits mailing list