Bug 14993 - zarafa new security issue CVE-2014-9465
Summary: zarafa new security issue CVE-2014-9465
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/632257/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-01-09 05:24 CET by David Walser
Modified: 2015-02-06 17:26 CET (History)
5 users (show)

See Also:
Source RPM: zarafa-7.1.11-7.mga5.src.rpm
CVE:
Status comment:


Attachments
Patch suggestion for SOURCES/zarafa-webaccess.conf (1.01 KB, patch)
2015-01-29 23:12 CET, Robert Scheck
Details | Diff
Patch suggestion for SPECS/zarafa.spec (1.87 KB, patch)
2015-01-29 23:22 CET, Robert Scheck
Details | Diff
New file suggestion for SOURCES/zarafa-7.1.11-php-unbundle.patch (1.91 KB, patch)
2015-01-29 23:24 CET, Robert Scheck
Details | Diff

Description David Walser 2015-01-09 05:24:24 CET
A CVE has been assigned for a security issue in zarafa on January 3:
http://www.openwall.com/lists/oss-security/2015/01/03/10

I just noticed that the package has been dropped in Fedora Rawhide.  Maybe we should do the same.

Mageia 4 is also affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-09 05:24:35 CET

Whiteboard: (none) => MGA4TOO

Comment 1 Thomas Spuhler 2015-01-10 17:12:19 CET
I asked at info@zarafa.com about the fix as they haven't published anything on their WEB site.
The CVE-2014-9465 was published in early December 2014 and it's now close to a month later.
We may should drop the package. They have never been forthcoming with security fixes. We mostly got them through Fedora who now "retired" the package.

Status: NEW => ASSIGNED

Thomas Spuhler 2015-01-10 17:12:50 CET

Hardware: i586 => x86_64
CC: (none) => thomas

Comment 2 Thomas Spuhler 2015-01-10 18:08:42 CET
We may be save because of Bug 14107.
David Walser 2015-01-12 00:31:52 CET

Blocks: (none) => 14674

Comment 3 Thomas Spuhler 2015-01-15 17:57:39 CET
I contacted zarafa by e-mail (info@zarafa.com) and haven't heard back. I am going to retire the zarafa packages in cauldron today if nobody objects.
zarafa hasn't been responsive in the past with security issues.
Comment 4 Thomas Spuhler 2015-01-15 18:48:03 CET
bug is closed for cauldron/mga5
David Walser 2015-01-15 18:50:58 CET

Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4
Blocks: 14674 => (none)

Comment 5 Robert Scheck 2015-01-21 02:20:26 CET
The fix is simply to put e.g.

  rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/senddocument.php

into the zarafa.spec file, see:

  http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?id=07cc7867537d78ea274413b6b2f451f97a61a8e0

Zarafa did the same for Zarafa 7.2.0 beta 1 and Zarafa 7.1.12 beta 1.

CC: (none) => mageia.org
URL: (none) => http://security.robert-scheck.de/cve-2014-9465-zarafa/

Comment 6 Thomas Spuhler 2015-01-26 04:42:11 CET
This bug has been fixed by applying the solution in Comment 5

The following packages are now in updates_testing:
zarafa-7.1.11-1.1.mga4.src.rpm
zarafa-7.1.11-1.1.mga4.i586.rpm	 
zarafa-archiver-7.1.11-1.1.mga4.i586.rpm
zarafa-caldav-7.1.11-1.1.mga4.i586.rpm	 
zarafa-client-7.1.11-1.1.mga4.i586.rpm	 
zarafa-common-7.1.11-1.1.mga4.i586.rpm	 
zarafa-dagent-7.1.11-1.1.mga4.i586.rpm	 
zarafa-gateway-7.1.11-1.1.mga4.i586.rpm	 
zarafa-ical-7.1.11-1.1.mga4.i586.rpm	 
zarafa-indexer-7.1.11-1.1.mga4.i586.rpm	 
zarafa-monitor-7.1.11-1.1.mga4.i586.rpm	 
zarafa-server-7.1.11-1.1.mga4.i586.rpm	 
zarafa-spooler-7.1.11-1.1.mga4.i586.rpm	 
zarafa-utils-7.1.11-1.1.mga4.i586.rpm	 
zarafa-webaccess-7.1.11-1.1.mga4.noarch.rpm
libzarafa-devel-7.1.11-1.1.mga4.i586.rpm 
libzarafa0-7.1.11-1.1.mga4.i586.rpm
and corresponding x86_64 packages

Assignee: thomas => qa-bugs

Comment 7 David Walser 2015-01-26 12:40:11 CET
Thanks Thomas.

Advisory:
========================

Updated zarafa packages fix security vulnerability:

Robert Scheck discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp
that could allow a remote unauthenticated attacker to exhaust the disk space
of /tmp (CVE-2014-9465).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9465
http://security.robert-scheck.de/cve-2014-9465-zarafa/
http://www.openwall.com/lists/oss-security/2015/01/03/10

Hardware: x86_64 => All

Comment 8 claire robinson 2015-01-27 13:28:59 CET
Is bug 14107 addressed by this update?
Comment 9 Thomas Spuhler 2015-01-27 15:48:26 CET
No, that's a separate issue. It's not security related. I'll may fix it when I get to it.
Comment 10 olivier charles 2015-01-27 18:49:14 CET
Testing on Mageia 4x32 real hardware,

From current packages :
---------------------
- zarafa-7.1.11-1.mga4.i586
- zarafa-archiver-7.1.11-1.mga4.i586
- zarafa-caldav-7.1.11-1.mga4.i586
- zarafa-client-7.1.11-1.mga4.i586
- zarafa-common-7.1.11-1.mga4.i586
- zarafa-dagent-7.1.11-1.mga4.i586
- zarafa-gateway-7.1.11-1.mga4.i586
- zarafa-ical-7.1.11-1.mga4.i586
- zarafa-indexer-7.1.11-1.mga4.i586
- zarafa-monitor-7.1.11-1.mga4.i586
- zarafa-server-7.1.11-1.mga4.i586
- zarafa-spooler-7.1.11-1.mga4.i586
- zarafa-utils-7.1.11-1.mga4.i586
- zarafa-webaccess-7.1.11-1.mga4.noarch
- libzarafa0-7.1.11-1.mga4.i586

Could not start zarafa-server

From comment 35 in https://bugs.mageia.org/show_bug.cgi?id=12813#c35
edited /etc/zarafa/server.cfg to add the mysql root password
then
# systemctl start zarafa-server
# systemctl status -l zarafa-server
zarafa-server.service - LSB: Zarafa Collaboration Platform's Storage Server
   Loaded: loaded (/etc/rc.d/init.d/zarafa-server)
   Active: active (running) since mar. 2015-01-27 18:19:28 CET; 9s ago

Could add a user following same comment.

Browsed to : http://localhost/webaccess
which gave : 
Accès interdit!
Vous n'avez pas le droit d'accéder à l'objet demandé. Soit celui-ci est protégé, 
soit il ne peut être lu par le serveur.
Si vous pensez qu'il s'agit d'une erreur du serveur, veuillez contacter le 
webmestre.
Error 403
localhost
which is bug 14107.

Could start zarafa-dagent, zarafa-gateway, zarafa-ical, zarafa-monitor, 
zarafa-spooler services which were all shown running.

Stopped all zarafa services.


Updated to testing packages :
---------------------------

- libzarafa0-7.1.11-1.1.mga4.i586
- zarafa-7.1.11-1.1.mga4.i586
- zarafa-archiver-7.1.11-1.1.mga4.i586
- zarafa-caldav-7.1.11-1.1.mga4.i586
- zarafa-client-7.1.11-1.1.mga4.i586
- zarafa-common-7.1.11-1.1.mga4.i586
- zarafa-dagent-7.1.11-1.1.mga4.i586
- zarafa-gateway-7.1.11-1.1.mga4.i586
- zarafa-ical-7.1.11-1.1.mga4.i586
- zarafa-indexer-7.1.11-1.1.mga4.i586
- zarafa-monitor-7.1.11-1.1.mga4.i586
- zarafa-server-7.1.11-1.1.mga4.i586
- zarafa-spooler-7.1.11-1.1.mga4.i586
- zarafa-utils-7.1.11-1.1.mga4.i586
- zarafa-webaccess-7.1.11-1.1.mga4.noarch

which brought along : - php-mapi-7.1.11-1.1.mga4.i586

Could start zarafa-server and the other zarafa services.
As expected reading comment 9, bug 14107 not being fixed,
http://localhost/webaccess gave same Error 403.

Stuck here.

CC: (none) => olchal

Comment 11 Herman Viaene 2015-01-28 15:11:51 CET
MGA4-64 on HP Probook 6555b.
No installation issues, BUT
from CLI:
systemctl start zarafa-server
Job for zarafa-server.service failed. See 'systemctl status zarafa-server.service' and 'journalctl -xn' for details.
so I did
systemctl status zarafa-server.service
zarafa-server.service - LSB: Zarafa Collaboration Platform's Storage Server
   Loaded: loaded (/etc/rc.d/init.d/zarafa-server)
   Active: failed (Result: exit-code) since Wed 2015-01-28 15:05:16 CET; 12s ago
  Process: 32641 ExecStart=/etc/rc.d/init.d/zarafa-server start (code=exited, status=255)

Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Zarafa Collaboration Platform's Storage Server...
Jan 28 15:05:16 mach5.hviaene.thuis zarafa-server[32641]: Starting zarafa-server: [FAILED]
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: zarafa-server.service: control process exited, code=exited status=255
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Failed to start LSB: Zarafa Collaboration Platform's Storage Server.
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Unit zarafa-server.service entered failed state.

and

journalctl -xn
-- Logs begin at Thu 2014-12-04 15:40:47 CET, end at Wed 2015-01-28 15:05:16 CET. --
Jan 28 15:04:12 mach5.hviaene.thuis drakrpm[32004]: [RPM] zarafa-archiver-7.1.11-1.1.mga4.x86_64 installed
Jan 28 15:04:31 mach5.hviaene.thuis drakrpm[32004]: opening the RPM database
Jan 28 15:05:11 mach5.hviaene.thuis su[32577]: pam_tcb(su-l:auth): Authentication passed for root from tester4(uid=500)
Jan 28 15:05:11 mach5.hviaene.thuis su[32577]: (to root) tester4 on pts/5
Jan 28 15:05:11 mach5.hviaene.thuis su[32577]: pam_tcb(su-l:session): Session opened for root by tester4(uid=500)
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Zarafa Collaboration Platform's Storage Server...
-- Subject: Unit zarafa-server.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit zarafa-server.service has begun starting up.
Jan 28 15:05:16 mach5.hviaene.thuis zarafa-server[32641]: Starting zarafa-server: [FAILED]
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: zarafa-server.service: control process exited, code=exited status=255
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Failed to start LSB: Zarafa Collaboration Platform's Storage Server.
-- Subject: Unit zarafa-server.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit zarafa-server.service has failed.
-- 
-- The result is failed.
Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Unit zarafa-server.service entered failed state.

CC: (none) => herman.viaene

Comment 12 Robert Scheck 2015-01-28 15:18:24 CET
Can you do "grep ^log_method /etc/zarafa/server.cfg", please? By default the
upstream Zarafa logs into file "/var/log/zarafa/server.log" which should tell
more about the cause (e.g. misconfiguration).
Comment 13 Herman Viaene 2015-01-28 15:23:57 CET
Forgot one line from Olivier's comment "edited /etc/zarafa/server.cfg to add the mysql root password".
After that the zarafa server starts OK. But the same error 403 at http://localhost/webaccess
Comment 14 Robert Scheck 2015-01-28 15:29:23 CET
You need something like

  <IfModule mod_authz_core.c>
    Require all granted
  </IfModule>

for Apache 2.4. I do not know where to find the Mageia SCM to cross-check, but
something like the following should help:

  http://pkgs.fedoraproject.org/cgit/zarafa.git/tree/zarafa-webaccess.conf?id=2fe388869b31fa6faf57daead3083d8bb95bdc4d
Comment 15 David Walser 2015-01-28 15:37:52 CET
Here's ours:
http://svnweb.mageia.org/packages/updates/4/zarafa/current/SOURCES/zarafa-webaccess.conf?revision=573266&view=markup

(replace updates/4 with cauldron if you want the development branch, in general.  You won't find zarafa there since we removed it)
Comment 16 olivier charles 2015-01-28 21:04:02 CET
(In reply to Robert Scheck from comment #14)
> You need something like
> 
>   <IfModule mod_authz_core.c>
>     Require all granted
>   </IfModule>
> 

Added that lines to /etc/httpd/conf/sites.d/zarafa-webaccess.conf
and restarted httpd
It now gives a blank page 
and this error in /var/log/http/access_log :

127.0.0.1 - - [28/Jan/2015:20:58:24 +0100] "GET /webaccess/ HTTP/1.1" 500 - "-" "Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0"

which is indeed bug 14107 still not fixed.
Comment 17 claire robinson 2015-01-29 17:38:41 CET
Thanks Olivier.

Without bug 14107 being fixed we have no real way to test this beyond https://bugs.mageia.org/show_bug.cgi?id=13822#c15

Do we push it again this way or can this be fixed with this update?

Adding feedback marker

Whiteboard: (none) => feedback

Comment 18 Robert Scheck 2015-01-29 23:12:48 CET
Created attachment 5846 [details]
Patch suggestion for SOURCES/zarafa-webaccess.conf
Comment 19 Robert Scheck 2015-01-29 23:22:14 CET
Created attachment 5847 [details]
Patch suggestion for SPECS/zarafa.spec
Comment 20 Robert Scheck 2015-01-29 23:24:27 CET
Created attachment 5848 [details]
New file suggestion for SOURCES/zarafa-7.1.11-php-unbundle.patch
Comment 21 Robert Scheck 2015-01-29 23:27:33 CET
Above three patches should solve all reported issues that I was able to find
on this bugtracker. However given that I am not a Mageia user these might not
be perfect, but please let me know if I can provide some more help. Patches
are diffs against http://svnweb.mageia.org/packages/updates/4/zarafa/current/
Comment 22 Thomas Spuhler 2015-01-30 02:05:31 CET
(In reply to claire robinson from comment #17)
> Thanks Olivier.
> 
> Without bug 14107 being fixed we have no real way to test this beyond
> https://bugs.mageia.org/show_bug.cgi?id=13822#c15
> 
> Do we push it again this way or can this be fixed with this update?
> 
> Adding feedback marker

This is a security update. So let's push this and then we fix the rest.

Since there haven't been any bug-reports except the security issue and the one from QA, I expect nobody is using zarafa from Mageia. I think I imported it because it was needed by the very old version of kolab.

BTW, you don't have php-apc installed, that may turn into a well hidden segfault.
Comment 23 David Walser 2015-01-30 02:12:01 CET
Given that someone has taken the time to contribute proposed fixes, if they actually fix the problems, what's the harm in applying them?  This security issue affects exactly the component that's broken, so there may not be a lot of use to the fix for it by itself.  Ultimately it's up to you, those are just my thoughts.
Comment 24 Thomas Spuhler 2015-01-31 04:06:28 CET
I incorporated Robert Scheck's patches that should fix bug #14107 as well.
Thanks Robert for your efforts.
I have not tested them as my virtual box doesn't have enough resources.

The following packages are now in updates_testing:
zarafa-7.1.11-1.2.mga4.src.rpm
zarafa-7.1.11-1.2.mga4.i586.rpm	 
zarafa-archiver-7.1.11-1.2.mga4.i586.rpm
zarafa-caldav-7.1.11-1.2.mga4.i586.rpm	 
zarafa-client-7.1.11-1.2.mga4.i586.rpm	 
zarafa-common-7.1.11-1.2.mga4.i586.rpm	 
zarafa-dagent-7.1.11-1.2.mga4.i586.rpm	 
zarafa-gateway-7.1.11-1.2.mga4.i586.rpm	 
zarafa-ical-7.1.11-1.2.mga4.i586.rpm	 
zarafa-indexer-7.1.11-1.2.mga4.i586.rpm	 
zarafa-monitor-7.1.11-1.2.mga4.i586.rpm	 
zarafa-server-7.1.11-1.2.mga4.i586.rpm	 
zarafa-spooler-7.1.11-1.2.mga4.i586.rpm	 
zarafa-utils-7.1.11-1.2.mga4.i586.rpm
zarafa-webaccess-7.1.11-1.2.mga4.noarch.rpm
libzarafa-devel-7.1.11-1.2.mga4.i586.rpm 
libzarafa0-7.1.11-1.2.mga4.i586.rpm
and corresponding x86_64 packages
Comment 25 David Walser 2015-01-31 04:16:28 CET
Thank you Robert and Thomas.  Removing the feedback marker now.

Whiteboard: feedback => (none)

Comment 26 olivier charles 2015-01-31 09:05:35 CET
Testing on Mageia4x32, real hardware

Updated to last testing packages :
--------------------------------
- zarafa-7.1.11-1.2.mga4.i586
- zarafa-archiver-7.1.11-1.2.mga4.i586
- zarafa-caldav-7.1.11-1.2.mga4.i586
- zarafa-client-7.1.11-1.2.mga4.i586
- zarafa-common-7.1.11-1.2.mga4.i586
- zarafa-dagent-7.1.11-1.2.mga4.i586
- zarafa-gateway-7.1.11-1.2.mga4.i586
- zarafa-ical-7.1.11-1.2.mga4.i586
- zarafa-indexer-7.1.11-1.2.mga4.i586
- zarafa-monitor-7.1.11-1.2.mga4.i586
- zarafa-server-7.1.11-1.2.mga4.i586
- zarafa-spooler-7.1.11-1.2.mga4.i586
- zarafa-utils-7.1.11-1.2.mga4.i586
- zarafa-webaccess-7.1.11-1.2.mga4.noarch
- libzarafa0-7.1.11-1.2.mga4.i586

That installed quite a few php-pear packets (+php-mapi and php-channel)

Enabled all zarafa services
Rebooted.
All services were running at startup (zafafa-server, zarafa-dagent, zarafa-gateway, zarafa-ical, zarafa-monitor, zarafa-spooler)

Browsed to : http://localhost/webaccess
which brought me to zarafa-webacces logon page (well done Robert and Thomas!)

Could log in with user previously set, and choose French language.
That opened a nice interface, with email client, calendar ...
Could add a contact, a new appointment, a task (which afterwards sent me regular alerts until I marked it completed), could change some settings, log out an back in.

According to my testing, updated testing packages resolve bug 14107 on top of current bug.


Well done then.

Whiteboard: (none) => MGA4-32-OK

Comment 27 Thomas Spuhler 2015-01-31 16:23:06 CET
Thanks Olivier. Just a question; do you ave access to a windows box with MS Outlook to test zarafa. It's supposed to provide support, I believe up to 5 users.
This could be done after the security update has been released.
Comment 28 Robert Scheck 2015-01-31 16:43:09 CET
(In reply to Thomas Spuhler from comment #27)
> Thanks Olivier. Just a question; do you ave access to a windows box with MS
> Outlook to test zarafa. It's supposed to provide support, I believe up to 5
> users.

To use the 3 free Outlook users, you need the proprietary zarafa-licensed.
Comment 29 Thomas Spuhler 2015-01-31 16:56:04 CET
(In reply to Robert Scheck from comment #28)
> (In reply to Thomas Spuhler from comment #27)
> > Thanks Olivier. Just a question; do you ave access to a windows box with MS
> > Outlook to test zarafa. It's supposed to provide support, I believe up to 5
> > users.
> 
> To use the 3 free Outlook users, you need the proprietary zarafa-licensed.

Thanks for clarification.
Comment 30 olivier charles 2015-01-31 18:12:54 CET
Sorry, no Windows nor zarafa licence here.
Comment 31 olivier charles 2015-02-04 22:21:11 CET
Testing on Mageia4x64, real hardware following the same procedure than in comment 10 and comment 26

From current packages :
---------------------
- lib64zarafa0-7.1.11-1.mga4.x86_64
- zarafa-7.1.11-1.mga4.x86_64
- zarafa-archiver-7.1.11-1.mga4.x86_64
- zarafa-caldav-7.1.11-1.mga4.x86_64
- zarafa-client-7.1.11-1.mga4.x86_64
- zarafa-dagent-7.1.11-1.mga4.x86_64
- zarafa-gateway-7.1.11-1.mga4.x86_64
- zarafa-ical-7.1.11-1.mga4.x86_64
- zarafa-monitor-7.1.11-1.mga4.x86_64
- zarafa-server-7.1.11-1.mga4.x86_64
- zarafa-spooler-7.1.11-1.mga4.x86_64
- zarafa-utils-7.1.11-1.mga4.x86_64
- zarafa-webaccess-7.1.11-1.mga4.noarch

No trouble during installation, could start all zarafa services and add a user but encountered expected error 403 with zarafa-webaccess.
Stopped all services.

To updated testing packages :
---------------------------
- lib64zarafa0-7.1.11-1.2.mga4.x86_64
- zarafa-7.1.11-1.2.mga4.x86_64
- zarafa-archiver-7.1.11-1.2.mga4.x86_64
- zarafa-caldav-7.1.11-1.2.mga4.x86_64
- zarafa-client-7.1.11-1.2.mga4.x86_64
- zarafa-common-7.1.11-1.2.mga4.x86_64
- zarafa-dagent-7.1.11-1.2.mga4.x86_64
- zarafa-gateway-7.1.11-1.2.mga4.x86_64
- zarafa-ical-7.1.11-1.2.mga4.x86_64
- zarafa-indexer-7.1.11-1.2.mga4.x86_64
- zarafa-monitor-7.1.11-1.2.mga4.x86_64
- zarafa-server-7.1.11-1.2.mga4.x86_64
- zarafa-spooler-7.1.11-1.2.mga4.x86_64
- zarafa-utils-7.1.11-1.2.mga4.x86_64
- zarafa-webaccess-7.1.11-1.2.mga4.noarch

which brought along :

- php-mapi-7.1.11-1.2.mga4.x86_64
- php-pear-XML_Parser-1.3.4-3.mga4.noarch
- php-pear-XML_Serializer-0.20.2-6.mga4.noarch

Installation OK, could restart all services, could log in zarafa-webaccess with user previously set, could add contacts, tasks (which sent me reminders), addresses, change some parameters, log out and back in...

All OK

Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 32 claire robinson 2015-02-05 18:54:41 CET
Well done everybody and a special thankyou to Robert.

Validating. Advisory uploaded.

Could sysadmin please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK

Comment 33 Mageia Robot 2015-02-05 23:26:39 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0049.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-02-06 17:26:54 CET

URL: http://security.robert-scheck.de/cve-2014-9465-zarafa/ => http://lwn.net/Vulnerabilities/632257/


Note You need to log in before you can comment on or make changes to this bug.