Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1012279: php-horde-turba: CVE-2022-30287
31 views
Skip to first unread message
Salvatore Bonaccorso
Jun 2, 2022, 4:40:04 PM6/2/22
to
Source: php-horde-turba
Version: 4.2.25-5
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for php-horde-turba,
CVE-2022-30287[0].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-30287
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30287
[1] https://blog.sonarsource.com/horde-webmail-rce-via-email/
[2] https://lists.horde.org/archives/horde/Week-of-Mon-20220530/059225.html
[3] https://github.com/horde/turba/pull/7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Version: 4.2.25-5
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <te...@security.debian.org>
Hi,
The following vulnerability was published for php-horde-turba,
CVE-2022-30287[0].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-30287
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30287
[1] https://blog.sonarsource.com/horde-webmail-rce-via-email/
[2] https://lists.horde.org/archives/horde/Week-of-Mon-20220530/059225.html
[3] https://github.com/horde/turba/pull/7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Mike Gabriel
Jun 5, 2022, 8:10:04 AM6/5/22
to
Hi Juri,
On Sa 04 Jun 2022 00:13:11 CEST, debian wrote:
> Hello,
>
> here is draft for MR:
> https://salsa.debian.org/horde-team/php-horde-turba/-/merge_requests/1
> I would look after it next time on sunday evening.
>
> @Mike: Can you please review it?
>
> Best Regards,
> Juri Grabowski
Fix uploaded. Thanks.
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.g...@das-netzwerkteam.de, http://das-netzwerkteam.de
On Sa 04 Jun 2022 00:13:11 CEST, debian wrote:
> Hello,
>
> here is draft for MR:
> https://salsa.debian.org/horde-team/php-horde-turba/-/merge_requests/1
> I would look after it next time on sunday evening.
>
> @Mike: Can you please review it?
>
> Best Regards,
> Juri Grabowski
Fix uploaded. Thanks.
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.g...@das-netzwerkteam.de, http://das-netzwerkteam.de
Salvatore Bonaccorso
Jun 5, 2022, 8:40:04 AM6/5/22
to
Hi,
On Sun, Jun 05, 2022 at 12:02:54PM +0000, Mike Gabriel wrote:
> Hi Juri,
>
> On Sa 04 Jun 2022 00:13:11 CEST, debian wrote:
>
> > Hello,
> >
> > here is draft for MR:
> > https://salsa.debian.org/horde-team/php-horde-turba/-/merge_requests/1
> > I would look after it next time on sunday evening.
> >
> > @Mike: Can you please review it?
it looks that the force pushed commit two days ago adjusted two
further create() -> createTrusted() stances in lib/Application.php,
can you double check?
https://github.com/horde/turba/commit/9f2521328aa7d0dbd905591eca138c8e7580d673
(which is not yet merged, but compare to the used
https://github.com/horde/turba/commit/784da95e0190321b08ceeb27e2cb6c7505f2057c).
p.s.: the upload did contain a non valid bug closer, which in case the
above is correct cha be simply closed in a 4.2.25-7 upload.
Regards,
Salvtore
On Sun, Jun 05, 2022 at 12:02:54PM +0000, Mike Gabriel wrote:
> Hi Juri,
>
> On Sa 04 Jun 2022 00:13:11 CEST, debian wrote:
>
> > Hello,
> >
> > here is draft for MR:
> > https://salsa.debian.org/horde-team/php-horde-turba/-/merge_requests/1
> > I would look after it next time on sunday evening.
> >
> > @Mike: Can you please review it?
further create() -> createTrusted() stances in lib/Application.php,
can you double check?
https://github.com/horde/turba/commit/9f2521328aa7d0dbd905591eca138c8e7580d673
(which is not yet merged, but compare to the used
https://github.com/horde/turba/commit/784da95e0190321b08ceeb27e2cb6c7505f2057c).
p.s.: the upload did contain a non valid bug closer, which in case the
above is correct cha be simply closed in a 4.2.25-7 upload.
Regards,
Salvtore
Mike Gabriel
Jun 5, 2022, 4:00:04 PM6/5/22
to
Hi Salvatore,
On So 05 Jun 2022 14:35:03 CEST, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Jun 05, 2022 at 12:02:54PM +0000, Mike Gabriel wrote:
>> Hi Juri,
>>
>> On Sa 04 Jun 2022 00:13:11 CEST, debian wrote:
>>
>> > Hello,
>> >
>> > here is draft for MR:
>> > https://salsa.debian.org/horde-team/php-horde-turba/-/merge_requests/1
>> > I would look after it next time on sunday evening.
>> >
>> > @Mike: Can you please review it?
>
> it looks that the force pushed commit two days ago adjusted two
> further create() -> createTrusted() stances in lib/Application.php,
> can you double check?
I actually did double check already, applied 9f242132 and saw that it
did not apply properly (and thus reverted). See Git history at [1]. It
seems that the backup/restore API calls (where these two spots of
create -> createTrusted had been added) were not part of the 4.2.25
upstream release of turba.
> https://github.com/horde/turba/commit/9f2521328aa7d0dbd905591eca138c8e7580d673
> (which is not yet merged, but compare to the used
> https://github.com/horde/turba/commit/784da95e0190321b08ceeb27e2cb6c7505f2057c).
>
> p.s.: the upload did contain a non valid bug closer, which in case the
> above is correct cha be simply closed in a 4.2.25-7 upload.
If you agree, we have to close the bug manually as Juri's approach
already contained the right patch.
Mike
[1] https://salsa.debian.org/horde-team/php-horde-turba/-/commits/debian-sid
On So 05 Jun 2022 14:35:03 CEST, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Jun 05, 2022 at 12:02:54PM +0000, Mike Gabriel wrote:
>> Hi Juri,
>>
>> On Sa 04 Jun 2022 00:13:11 CEST, debian wrote:
>>
>> > Hello,
>> >
>> > here is draft for MR:
>> > https://salsa.debian.org/horde-team/php-horde-turba/-/merge_requests/1
>> > I would look after it next time on sunday evening.
>> >
>> > @Mike: Can you please review it?
>
> it looks that the force pushed commit two days ago adjusted two
> further create() -> createTrusted() stances in lib/Application.php,
> can you double check?
did not apply properly (and thus reverted). See Git history at [1]. It
seems that the backup/restore API calls (where these two spots of
create -> createTrusted had been added) were not part of the 4.2.25
upstream release of turba.
> https://github.com/horde/turba/commit/9f2521328aa7d0dbd905591eca138c8e7580d673
> (which is not yet merged, but compare to the used
> https://github.com/horde/turba/commit/784da95e0190321b08ceeb27e2cb6c7505f2057c).
>
> p.s.: the upload did contain a non valid bug closer, which in case the
> above is correct cha be simply closed in a 4.2.25-7 upload.
already contained the right patch.
Mike
[1] https://salsa.debian.org/horde-team/php-horde-turba/-/commits/debian-sid
Juri Grabowski
Jun 6, 2022, 12:00:03 AM6/6/22
to
Hello together,
On 2022-06-05 14:35 7, Salvatore Bonaccorso wrote:
>it looks that the force pushed commit two days ago adjusted two
>further create() -> createTrusted() stances in lib/Application.php,
>can you double check?
functions backup and _restoreContact are only available on turba/master
for future release.
Best Regards,
Juri Grabowski
On 2022-06-05 14:35 7, Salvatore Bonaccorso wrote:
>it looks that the force pushed commit two days ago adjusted two
>further create() -> createTrusted() stances in lib/Application.php,
>can you double check?
for future release.
Best Regards,
Juri Grabowski
Salvatore Bonaccorso
Jun 6, 2022, 3:30:03 AM6/6/22
to
Source: php-horde-turba
Source-Version: 4.2.25-6
Thanks for checking. In this case let's close this bug with the
4.2.25-6 version.
Regards,
Salvatore
Source-Version: 4.2.25-6
4.2.25-6 version.
Regards,
Salvatore
Salvatore Bonaccorso
Jun 7, 2022, 2:40:03 AM6/7/22
to
Hi,
Upstream has released v4.2.26 which contains fixes for the issue (done
bit differently).
Regards,
Salvatore
bit differently).
Regards,
Salvatore
0 new messages