[horde] another security issue discovered in Horde ref. CVE-2022-30287
Jos van der Woude
jos at veerkade.com
Wed Jun 8 10:49:08 UTC 2022
Reverting to the older versions
turba[1] 4.2.25 and
Horde_Imsp 2.0.5
made the errors go away.
But now, I still have the CVE issue.
Regards
Jos
Quoting Jos van der Woude <jos at veerkade.com>:
> I am on Fedora 34. Yes I know this went EOL yesterday.
> Still there because F35 comes with PHP 8 ...
>
> Quoting Jos van der Woude <jos at veerkade.com>:
>
>> Hi all,
>>
>> Yesterday I applied the patch for CVE-2022-30287 using pear upgrade
>> --alldeps horde/turba
>>
>> Since then lots of errors in the logs:
>>
>> HORDE[127489]:[turba] $config must be an array [pid 127489 on line
>> 55 of "/var/www/html/mail/horde/turba/lib/Factory/Driver.php"]
>>
>> Some emails display correct, others show up as empty and thow up this error.
>>
>> Any ideas, anyone?
>>
>> Regards
>> Jos
>>
>> Quoting Jan Schneider <jan at horde.org>:
>>
>>> Zitat von Michael Menge <michael.menge at zdv.uni-tuebingen.de>:
>>>
>>>> Hi Pascal
>>>>
>>>> Quoting Pascal Rigaux <pascal.rigaux at univ-paris1.fr>:
>>>>
>>>>> On 02/06/2022 12:20, Michael Menge wrote:
>>>>>
>>>>>>> Hi. I did the following quick fix with no regression for now...
>>>>>>
>>>>>> Thanks for the Patch, but some of our users are unable to use
>>>>>> horde, because
>>>>>> they receive a white page with "not allowed". I am still investigating.
>>>>>
>>>>> It seems the patch is enough IF you have
>>>>>
>>>>> $cfgSources['localsql']['use_shares'] = false;
>>>>
>>>> we use_shares, so that was not working.
>>>>
>>>>>> Is there an other way to mitigate the CVE?
>>>>>
>>>>> Here is a more complete tentative:
>>>>> https://github.com/UnivParis1/turba/tree/CVE-2022-30287
>>>>>
>>>>> - "create" method does NOT allow arrays
>>>>> - "createTrusted" method allows array, and is used everywhere
>>>>> the array comes from the horde conf.
>>>>
>>>> Thanks for the updated patch.
>>>
>>> Thanks for testing the patch, we are going to release a fix ASAP,
>>> but probably not before the weekend.
>>>
>>> Jan.
>>>
>>> --
>>> Jan Schneider
>>> The Horde Project
>>> https://www.horde.org/
>>>
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
>>> mail: horde-unsubscribe at lists.horde.org
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
>> mail: horde-unsubscribe at lists.horde.org
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,
> mail: horde-unsubscribe at lists.horde.org
Links:
------
[1] https://webmail.veerkade.com/horde/admin/config/config.php?app=turba
More information about the horde
mailing list