[horde] another security issue discovered in Horde ref. CVE-2022-30287
Christoph Haas
christoph+horde at haas-online.org
Mon Jun 13 16:11:33 UTC 2022
Dear Jens,
dear Jan,
Jens, since you're writing "Most of his changes can be applied
directly to the Horde 5 code (with ome fuzz), only the Horde 5 code in
"turba/lib/Application.php" needs some manual tweaking."
For the files in horde/turba/lib
Api.php
Application.php
Driver/Share.php
Driver/Vbook.php
Factory/Driver.php
Form/CreateAddressBook.php
Turba.php
the patch seems just to change on the affected lines "create" with
"createTrusted".
Btw.: I could not find the file
"horde/turba/bin/turba-import-openxchange" and the corresponding
"horde/turba/bin"-directory on my Horde-installation (PEAR-install)
but nevermind ...
So on Linux I would do:
root at myhorde:/# cd /tmp
root at myhorde:/tmp# git clone https://github.com/UnivParis1/turba.git
root at myhorde:/tmp/turba# git reset --hard
9f2521328aa7d0dbd905591eca138c8e7580d673
and copy all patched files to my webroot.
--> what "manual tweeking" in "horde/turba/lib/Application.ini has to be done?
And what "fuzz" is with the other files?
On the other hand I don't even know, if the patch will help me, since
on my Horde-installation is in horde/turba/config/backends.php
$cfgSources['localsql']['use_shares'] = true,
configured.
@Jan:
Or could I solve all the trouble through PEAR-upgrade to Turba 4.2.28?
What about the troubles in 4.2.27 not to being able to read all mails
(as reported from Jos van der Woude on 08. Juni 2022-06-08, 08:04:34
CEST).
Is this fixed in 4.2.28?
Can anybody give me some insights on how to proceed?
Thanks
Christoph.
More information about the horde
mailing list