[horde] another security issue discovered in Horde ref. CVE-2022-30287
Jos van der Woude
jos at veerkade.com
Wed Jun 8 08:08:01 UTC 2022
I am on Fedora 34. Yes I know this went EOL yesterday.
Still there because F35 comes with PHP 8 ...
Quoting Jos van der Woude <jos at veerkade.com>:
> Hi all,
>
> Yesterday I applied the patch for CVE-2022-30287 using pear upgrade
> --alldeps horde/turba
>
> Since then lots of errors in the logs:
>
> HORDE[127489]:[turba] $config must be an array [pid 127489 on line
> 55 of "/var/www/html/mail/horde/turba/lib/Factory/Driver.php"]
>
> Some emails display correct, others show up as empty and thow up this error.
>
> Any ideas, anyone?
>
> Regards
> Jos
>
> Quoting Jan Schneider <jan at horde.org>:
>
>> Zitat von Michael Menge <michael.menge at zdv.uni-tuebingen.de>:
>>
>>> Hi Pascal
>>>
>>> Quoting Pascal Rigaux <pascal.rigaux at univ-paris1.fr>:
>>>
>>>> On 02/06/2022 12:20, Michael Menge wrote:
>>>>
>>>>>> Hi. I did the following quick fix with no regression for now...
>>>>>
>>>>> Thanks for the Patch, but some of our users are unable to use
>>>>> horde, because
>>>>> they receive a white page with "not allowed". I am still investigating.
>>>>
>>>> It seems the patch is enough IF you have
>>>>
>>>> $cfgSources['localsql']['use_shares'] = false;
>>>
>>> we use_shares, so that was not working.
>>>
>>>>> Is there an other way to mitigate the CVE?
>>>>
>>>> Here is a more complete tentative:
>>>> https://github.com/UnivParis1/turba/tree/CVE-2022-30287
>>>>
>>>> - "create" method does NOT allow arrays
>>>> - "createTrusted" method allows array, and is used everywhere the
>>>> array comes from the horde conf.
>>>
>>> Thanks for the updated patch.
>>
>> Thanks for testing the patch, we are going to release a fix ASAP,
>> but probably not before the weekend.
>>
>> Jan.
>>
>> --
>> Jan Schneider
>> The Horde Project
>> https://www.horde.org/
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
>> mail: horde-unsubscribe at lists.horde.org
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
> mail: horde-unsubscribe at lists.horde.org
More information about the horde
mailing list