[Kolab-devel] Security Issue 27 for Kolab Server (Kolab Web Admin)

Sascha Wilde wilde at intevation.de
Fri Jan 15 18:18:58 CET 2010


Kolab Security Issue 27 20100115
================================

Package:              Kolab Server, Kolab Web Admin
Vulnerability:        Users can not change their password
Kolab Specific:       yes
Dependent Packages:   none


Summary
~~~~~~~

The Kolab Web Admin interface allows Kolab users to manipulate some of
their user data using a web browser.  Most importantly it enables
users to change their passwords.

In the kolab-webadmin package shipped with Kolab Server release 2.2.3,
the web admin interface fails to save changed user data (an LDAP error
is issued).


Affected Versions
~~~~~~~~~~~~~~~~~

This affects version 2.2.3-20091217 of kolab-webadmin.
Kolab Server 2.2.3 is affected.


Fix
~~~

Update your kolab-webadmin package:

OpenPKG packages for Kolab Server 2.2.3 are available from
https://files.kolab.org/server/security-updates/20100115/
or from the mirrors listed on http://kolab.org/mirrors.html

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Lenny)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian5.0-kolab.rpm

A binary RPM for Kolab Server 2.2.3 (ix86 Debian GNU/Linux Etch)
is available as kolab-webadmin-2.2.3-20100115.ix86-debian4.0-kolab.rpm

You can check the integrity of the downloaded files with:

$ gpg --keyserver keys.gnupg.net --recv-key 4BB86568
$ gpg --verify SHA1SUMS.sig
$ sha1sum -c SHA1SUMS

The source package can be compiled and installed on your Kolab Server with:

# su - kolab
$ openpkg rpm --rebuild ...path/to.../kolab-webadmin-2.2.3-20100115.src.rpm
$ openpkg rpm -Uvh /kolab/RPM/PKG/kolab-webadmin-2.2.3-20100115.<ARCH>-<OS>-kolab.rpm	

To install a binary package, just skip the --rebuild step.


Details
~~~~~~~

https://issues.kolab.org/issue4025
	Bug report in the official kolab issue tracker.


Timeline
~~~~~~~~
    20100103 First report per private mail
    20100112 Public problem report
    20100115 Updated kolab-webadmin package available and Kolab Server
             security advisory published.
-- 
Sascha Wilde                                          OpenPGP key: 4BB86568
http://www.intevation.de/~wilde/                  http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück; AG Osnabrück, HR B 18998
Geschäftsführer:   Frank Koormann,  Bernhard Reiter,  Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/devel/attachments/20100115/62a3b5cf/attachment.sig>


More information about the devel mailing list