[Kolab-devel] Security Issue 27 for Kolab Server (Kolab Web Admin)
Sascha Wilde
wilde at intevation.de
Fri Jan 15 18:18:58 CET 2010
Kolab Security Issue 27 20100115
================================
Package: Kolab Server, Kolab Web Admin
Vulnerability: Users can not change their password
Kolab Specific: yes
Dependent Packages: none
Summary
~~~~~~~
The Kolab Web Admin interface allows Kolab users to manipulate some of
their user data using a web browser. Most importantly it enables
users to change their passwords.
In the kolab-webadmin package shipped with Kolab Server release 2.2.3,
the web admin interface fails to save changed user data (an LDAP error
is issued).
Affected Versions
~~~~~~~~~~~~~~~~~
This affects version 2.2.3-20091217 of kolab-webadmin.
Kolab Server 2.2.3 is affected.
Fix
~~~
Update your kolab-webadmin package:
OpenPKG packages for Kolab Server 2.2.3 are available from
https://files.kolab.org/server/security-updates/20100115/
or from the mirrors listed on http://kolab.org/mirrors.html
A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Lenny)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian5.0-kolab.rpm
A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Etch)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian4.0-kolab.rpm
You can check the integrity of the downloaded files with:
$ gpg --keyserver keys.gnupg.net --recv-key 4BB86568
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS
The source package can be compiled and installed on your Kolab Server with:
# su - kolab
$ openpkg rpm --rebuild ...path/to.../kolab-webadmin-2.2.3-20100115.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/kolab-webadmin-2.2.3-20100115.<ARCH>-<OS>-kolab.rpm
To install a binary package, just skip the --rebuild step.
Details
~~~~~~~
https://issues.kolab.org/issue4025
Bug report in the official kolab issue tracker.
Timeline
~~~~~~~~
20100103 First report per private mail
20100112 Public problem report
20100115 Updated kolab-webadmin package available and Kolab Server
security advisory published.
--
Sascha Wilde OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/ http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20100115/62a3b5cf/attachment.sig>
More information about the devel
mailing list