Phpgroupware security release 0.9.16.016

Discussion:

Benoit Hamet

2010-05-12 17:18:06 UTC

The CT Team is urging everybody to upgrade their phpgw installation to
0.9.16.016 now.

Some vulnerabilities have been pointed out by VUPEN Security and we have
fixed them in this release. More information are available on our website=
=2E

Please go to download it at http://download.phpgroupware.org/now
and then upgrade your installation.

Please don't forget to save your DB before doing the update !

The packages are signed with my gpg key. Please check the integrity of
yourfiles with the md5sum and check for the official package with my
public key.

We are looking for new dev, so please let us now if you are interested
in contributing !

Regards,

Caeies.

Olivier Berger

2010-05-12 17:32:02 UTC

Permalink

Post by Benoit Hamet
The packages are signed with my gpg key. Please check the integrity of
yourfiles with the md5sum and check for the official package with my
public key.

(Hmmm... your email's signature seems invalid after having been
distributed by the list manager... maybe normal ;-)
gpg: MAUVAISE signature de « Benoit Hamet (Email Perso) <***@laposte.net> »)

Anyway... where are these checksums / sigs supposed to be ?

I can't see a link at http://download.phpgroupware.org/now to the checksums/sigs (but for the nightly builds) :-/

Hope this helps.

Best regards,

--
Olivier BERGER <***@it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)

Benoit Hamet

2010-06-02 10:22:58 UTC

Permalink

Hi all,

Just a quick upgrade on this :
- full version has been put in the svn and tagged accordingly.
- there's a patch available at : http://savannah.gnu.org/patch/?7214
for fixing a problem occurring to address book users due to this
security release. Since I didn't get so much complain about it, I'm
starting to think of closing definitively the 016 branch (at least).
- this fix will be present in the next release (the 017 one).

Post by Olivier Berger

Post by Benoit Hamet
The packages are signed with my gpg key. Please check the integrity of
yourfiles with the md5sum and check for the official package with my
public key.

(Hmmm... your email's signature seems invalid after having been
distributed by the list manager... maybe normal ;-)

Unfortunately yes, the list manager is adding a list signature which
corrupt the message when using the pgp/mime type for a message (I should
use the embedded signature in these cases). I hope this message will be
rightly signed :).

Post by Olivier Berger
Anyway... where are these checksums / sigs supposed to be ?

I have added the gpg signature files as a download link on the
download/now section. If you take look on sourceforge, all packages have
their .sig file. as well as a md5sum file for those who didn't have a
reliable network connection.

Post by Olivier Berger
I can't see a link at http://download.phpgroupware.org/now to the checksums/sigs (but for the nightly builds) :-/
Hope this helps.

Yes thanks :).

Best regards,

Caeies.