[Phpgroupware-users] phpGroupWare 0.9.16.011 Security and Bug Fix Release is out

[Dave Hall]

Hi all,

A security vulnerability has been discovered in phpGW < 0.9.16.011  We
were not given a heads up before it was published. 

The exploit is in the holiday code in calendar.  It can only be
exploited with register_globals = on and gpc_magic_quotes = off.

The advisory can be found at
http://www.frsirt.com/english/advisories/2006/3414

There is code which exploits the vulnerability in the wild - see
http://milw0rm.com/exploits/2270

All users are strongly encouraged to upgrade immediately.

You can grab the new version from -
http://sourceforge.net/project/showfiles.php?group_id=7305

Or update from cvs
$ cd /path/to/phpgroupware
$ cvs update -dP

In addition to the security issue above, this release fixes support for
MySQL4.1+ and pgsql 8.  Support for php5 has been improved too, php5
should now work with zend.ze1_compatibility_mode on

When grabbing your update, check out the conference -
http://conference.phpgroupware.org :)

Cheers

Dave
-- 
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
+-------------------------------------+-------------------------------+
| e address@hidden          | w phpgroupware.org            |
| j address@hidden                 | aim skwashd                   |
| icq 278064022                       | msn address@hidden       |
| sip address@hidden       | y! skwashd                    |
+-------------------------------------+-------------------------------+