[horde] another security issue discovered in Horde ref. CVE-2022-30287
Michael J Rubinsky
mrubinsk at horde.org
Tue Jun 14 04:19:42 UTC 2022
Quoting Christoph Haas <christoph+horde at haas-online.org>:
> Dear Jens,
> dear Jan,
>
> Jens, since you're writing "Most of his changes can be applied
> directly to the Horde 5 code (with ome fuzz), only the Horde 5 code
> in "turba/lib/Application.php" needs some manual tweaking."
>
> For the files in horde/turba/lib
> Api.php
> Application.php
> Driver/Share.php
> Driver/Vbook.php
> Factory/Driver.php
> Form/CreateAddressBook.php
> Turba.php
>
> the patch seems just to change on the affected lines "create" with
> "createTrusted".
>
>
> Btw.: I could not find the file
> "horde/turba/bin/turba-import-openxchange" and the corresponding
> "horde/turba/bin"-directory on my Horde-installation (PEAR-install)
> but nevermind ...
>
>
> So on Linux I would do:
> root at myhorde:/# cd /tmp
> root at myhorde:/tmp# git clone https://github.com/UnivParis1/turba.git
> root at myhorde:/tmp/turba# git reset --hard
> 9f2521328aa7d0dbd905591eca138c8e7580d673
> and copy all patched files to my webroot.
>
> --> what "manual tweeking" in "horde/turba/lib/Application.ini has
> to be done?
> And what "fuzz" is with the other files?
>
>
> On the other hand I don't even know, if the patch will help me,
> since on my Horde-installation is in horde/turba/config/backends.php
> $cfgSources['localsql']['use_shares'] = true,
> configured.
>
>
> @Jan:
> Or could I solve all the trouble through PEAR-upgrade to Turba 4.2.28?
> What about the troubles in 4.2.27 not to being able to read all
> mails (as reported from Jos van der Woude on 08. Juni 2022-06-08,
> 08:04:34 CEST).
> Is this fixed in 4.2.28?
4.2.28 should fix the remaining regressions. My advice is to upgrade,
and not apply any other patches at this time.
> Can anybody give me some insights on how to proceed?
>
> Thanks
> Christoph.
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
--
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 9386 bytes
Desc: PGP Public Key
URL: <https://lists.horde.org/archives/horde/attachments/20220614/5b22affd/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: PGP Digital Signature
URL: <https://lists.horde.org/archives/horde/attachments/20220614/5b22affd/attachment.sig>
More information about the horde
mailing list