[CVE-2007-5091] egroupware: new upstream version 1.4.002

What do we (eGroupWare project) need to do, to get our current stable release into Ubuntu again?
Ralf

Hi Ralf,

I'm removing the Gutsy nomination of this bug because does currently not qualify for a 7.10 stable release update (SRU). See: https://wiki.ubuntu.com/StableReleaseUpdates . I'm also removing the security flag from the ug as there is no sensitive information in the report. I realise that you set it as such because your updated egroupware version contains security fixes. However, a security bug will not be visible to most developers.

I've subscribed Jamie Strandboge who works with security issues on the server team. Jamie, could you advise advise on the best way to promote the latest versions of egroupware in Ubuntu? Generally security issues will be fixes by backporting fixes, while other bug fixes should be handled through backports.

Only packages in the 'main' repository will receive security updates from Canonical. egroupware is currently included in the Ubuntu universe repository and this repository is community supported.

To have updated egroupware packages in Ubuntu, you may:
1. provide a debdiff for the package against the released versions of Ubuntu (eg, dapper, edgy, feisty and gutsy) and attach it to the bug report. For information on this, please see https://wiki.ubuntu.com/SecurityUpdateProcedures
2. get egroupware into the main repository. Please see https://wiki.ubuntu.com/MainInclusionProcess

Hi Henrik & Jamie,

thanks for responding :-)

About 1.) I'm not familiar with debian/ubuntu package structure, the following link goes to the original debian bug report:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444351
It contains a link to the patch extracted from our svn repository fixing the issue:
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=CVE-2007-5091.patch;att=1;bug=444351
As there's this patch and updated debian packages egroupware/1.2.107-2.dfsg-2, do you still need that debdiff think?

About 2.) I need to look into the requirements and see if we fulfill them and I have time to do the required report arguing to include eGW into main.

That still leaves the original issue: how do we (eGroupWare project) get current packages into Ubuntu, as long Debian only has them in testing? I thought Ubuntu is not only repackaging Debian, but strives to be more innovative and current then Debian ;-)

Ralf

Ralf, as egroupware is a universe package, it is not officially supported with security updates. I have made a link to the Debian report with the patch, and adjusted the title of the bug. If you or a community member provides a debdiff with the security patches for 6.06 - 7.10, then I will be happy to get it uploaded for you.

Hi Jamie,

I will try to find someone to provide that debdiff, as I personally have
no experience with the packaging of debian/ubuntu packages.

What about the other issue: including the current eGroupWare relase
1.4.002 in the next Ubuntu release, even if Debian decided to let it sit
in experimental?

Kind regards

Ralf
eGroupWare admin

Jamie Strandboge schrieb:
> Ralf, as egroupware is a universe package, it is not officially
> supported with security updates. I have made a link to the Debian
> report with the patch, and adjusted the title of the bug. If you or a
> community member provides a debdiff with the security patches for 6.06 -
> 7.10, then I will be happy to get it uploaded for you.
>
> ** Also affects: egroupware (Debian) via
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444351
> Importance: Unknown
> Status: Unknown
>
> ** Summary changed:
>
> - new upstream version 1.4.002
> + [CVE-2007-5091] egroupware: new upstream version 1.4.002
>

--
Ralf Becker
eGroupWare Training & Support ==> http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0

I'm going to try to make the requested 'debdiff' tonight. I've never done that before, so I'll see how it goes... However, I already did a manual install of eGroupware 1.4 on Ubuntu, and it went very smoothly.

  Mark

Hi Mark,

thanks :-)

Ralf

Mark Stosberg schrieb:
> I'm going to try to make the requested 'debdiff' tonight. I've never
> done that before, so I'll see how it goes... However, I already did a
> manual install of eGroupware 1.4 on Ubuntu, and it went very smoothly.
>
> Mark
>
> ** Changed in: egroupware (Ubuntu)
> Assignee: (unassigned) => Mark Stosberg (mark-summersault)
>

--
Ralf Becker
eGroupWare Training & Support ==> http://www.egroupware-support.de
Outdoor Unlimited Training GmbH [www.outdoor-training.de]
Handelsregister HRB Kaiserslautern 3587
Geschäftsführer Birgit und Ralf Becker
Leibnizstr. 17, 67663 Kaiserslautern, Germany
Telefon +49 (0)631 31657-0

I followed the steps here tonight to build a debdiff:

https://wiki.ubuntu.com/PackagingGuide/Recipes/PackageUpdate

It ultimately failed because of the relationship of the "egw-pear" package, which I don't follow understand.

The final error when I ran " sudo pbuilder build egroupware_1.4.002.dfsg-1ubuntu1.dsc" was:

PACKAGING ERROR: directory egw-pear not found
make: *** [install] Error 1
dpkg-buildpackage: failure: fakeroot debian/rules binary gave error exit status 2

###

I don't know when I might get a chance to investigate this further, so I'm dis-owning the ticket for now.

   Mark

The debdiffs are needed for the security updates, where Ubuntu keeps the same version and backports fixes.

Packaging a new upstream requires more work, and while a debdiff (or in this case interdiff) is needed, the full debianized source package will also need to be provided. Here a couple of places to get more information:

http://doc.ubuntu.com/ubuntu/packagingguide/C/index.html
https://wiki.ubuntu.com/PackagingGuide/Basic#NewPackages

I also can't recommend enough going to #ubuntu-motu on Freenode IRC. They are great people and you should be able to get real-time help from the community. If you are unfamiliar with IRC, see https://help.ubuntu.com/community/InternetRelayChat

I checked to see what happened in Debian that made them make this "Fix/Released". They applied the security patches to 1.2, rather than moving forward with a full 1.4 release.

This is still not fixed in hardy...

Jonathan,

It's not done yet because this a volunteer effort and no one has volunteered. You are free to do the work yourself, or persuade or pay something to do it for you.

   Mark

Hi Mark,

I'm well aware of this being a volunteer effort (I contribute myself to different such efforts), my comment was just a confirmation that this bug also affects hardy.

Sorry for the noise.

+1 for eGW 1.4 in Hardy!

Moreover Hardy is a LTS release and eGW will be likely used in server (which preferentially go with LTS releases!)!

CVE-2007-5091 is fixed in both Gutsy and Hardy (version 1.2.107-2.dfsg-2 contains the fix).

William Grant wrote:
> ** Changed in: egroupware (Ubuntu)
> Status: Confirmed => Fix Released

Thanks for releasing a fix for this security issue, William.

Shall we open a new bug report for a request for the 1.4.x version to be
packaged? That was part of this original bug report, but I realize it is
a separate issue than the security update.

    Mark