[horde] another security issue discovered in Horde ref. CVE-2022-30287
Jos van der Woude
jos at veerkade.com
Wed Jun 8 06:04:34 UTC 2022
Hi all,
Yesterday I applied the patch for CVE-2022-30287 using pear upgrade
--alldeps horde/turba
Since then lots of errors in the logs:
HORDE[127489]:[turba] $config must be an array [pid 127489 on line 55
of "/var/www/html/mail/horde/turba/lib/Factory/Driver.php"]
Some emails display correct, others show up as empty and thow up this error.
Any ideas, anyone?
Regards
Jos
Quoting Jan Schneider <jan at horde.org>:
> Zitat von Michael Menge <michael.menge at zdv.uni-tuebingen.de>:
>
>> Hi Pascal
>>
>> Quoting Pascal Rigaux <pascal.rigaux at univ-paris1.fr>:
>>
>>> On 02/06/2022 12:20, Michael Menge wrote:
>>>
>>>>> Hi. I did the following quick fix with no regression for now...
>>>>
>>>> Thanks for the Patch, but some of our users are unable to use
>>>> horde, because
>>>> they receive a white page with "not allowed". I am still investigating.
>>>
>>> It seems the patch is enough IF you have
>>>
>>> $cfgSources['localsql']['use_shares'] = false;
>>
>> we use_shares, so that was not working.
>>
>>>> Is there an other way to mitigate the CVE?
>>>
>>> Here is a more complete tentative:
>>> https://github.com/UnivParis1/turba/tree/CVE-2022-30287
>>>
>>> - "create" method does NOT allow arrays
>>> - "createTrusted" method allows array, and is used everywhere the
>>> array comes from the horde conf.
>>
>> Thanks for the updated patch.
>
> Thanks for testing the patch, we are going to release a fix ASAP,
> but probably not before the weekend.
>
> Jan.
>
> --
> Jan Schneider
> The Horde Project
> https://www.horde.org/
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
> mail: horde-unsubscribe at lists.horde.org
More information about the horde
mailing list