A CVE has been assigned for a security issue in zarafa on January 3: http://www.openwall.com/lists/oss-security/2015/01/03/10 I just noticed that the package has been dropped in Fedora Rawhide. Maybe we should do the same. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
I asked at info@zarafa.com about the fix as they haven't published anything on their WEB site. The CVE-2014-9465 was published in early December 2014 and it's now close to a month later. We may should drop the package. They have never been forthcoming with security fixes. We mostly got them through Fedora who now "retired" the package.
Status: NEW => ASSIGNED
Hardware: i586 => x86_64CC: (none) => thomas
We may be save because of Bug 14107.
Blocks: (none) => 14674
I contacted zarafa by e-mail (info@zarafa.com) and haven't heard back. I am going to retire the zarafa packages in cauldron today if nobody objects. zarafa hasn't been responsive in the past with security issues.
bug is closed for cauldron/mga5
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4Blocks: 14674 => (none)
The fix is simply to put e.g. rm -f $RPM_BUILD_ROOT%{_datadir}/%{name}-webaccess/senddocument.php into the zarafa.spec file, see: http://pkgs.fedoraproject.org/cgit/zarafa.git/commit/?id=07cc7867537d78ea274413b6b2f451f97a61a8e0 Zarafa did the same for Zarafa 7.2.0 beta 1 and Zarafa 7.1.12 beta 1.
CC: (none) => mageia.orgURL: (none) => http://security.robert-scheck.de/cve-2014-9465-zarafa/
This bug has been fixed by applying the solution in Comment 5 The following packages are now in updates_testing: zarafa-7.1.11-1.1.mga4.src.rpm zarafa-7.1.11-1.1.mga4.i586.rpm zarafa-archiver-7.1.11-1.1.mga4.i586.rpm zarafa-caldav-7.1.11-1.1.mga4.i586.rpm zarafa-client-7.1.11-1.1.mga4.i586.rpm zarafa-common-7.1.11-1.1.mga4.i586.rpm zarafa-dagent-7.1.11-1.1.mga4.i586.rpm zarafa-gateway-7.1.11-1.1.mga4.i586.rpm zarafa-ical-7.1.11-1.1.mga4.i586.rpm zarafa-indexer-7.1.11-1.1.mga4.i586.rpm zarafa-monitor-7.1.11-1.1.mga4.i586.rpm zarafa-server-7.1.11-1.1.mga4.i586.rpm zarafa-spooler-7.1.11-1.1.mga4.i586.rpm zarafa-utils-7.1.11-1.1.mga4.i586.rpm zarafa-webaccess-7.1.11-1.1.mga4.noarch.rpm libzarafa-devel-7.1.11-1.1.mga4.i586.rpm libzarafa0-7.1.11-1.1.mga4.i586.rpm and corresponding x86_64 packages
Assignee: thomas => qa-bugs
Thanks Thomas. Advisory: ======================== Updated zarafa packages fix security vulnerability: Robert Scheck discovered a flaw in Zarafa WebAccess >= 7.0.0 and Zarafa WebApp that could allow a remote unauthenticated attacker to exhaust the disk space of /tmp (CVE-2014-9465). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9465 http://security.robert-scheck.de/cve-2014-9465-zarafa/ http://www.openwall.com/lists/oss-security/2015/01/03/10
Hardware: x86_64 => All
Is bug 14107 addressed by this update?
No, that's a separate issue. It's not security related. I'll may fix it when I get to it.
Testing on Mageia 4x32 real hardware, From current packages : --------------------- - zarafa-7.1.11-1.mga4.i586 - zarafa-archiver-7.1.11-1.mga4.i586 - zarafa-caldav-7.1.11-1.mga4.i586 - zarafa-client-7.1.11-1.mga4.i586 - zarafa-common-7.1.11-1.mga4.i586 - zarafa-dagent-7.1.11-1.mga4.i586 - zarafa-gateway-7.1.11-1.mga4.i586 - zarafa-ical-7.1.11-1.mga4.i586 - zarafa-indexer-7.1.11-1.mga4.i586 - zarafa-monitor-7.1.11-1.mga4.i586 - zarafa-server-7.1.11-1.mga4.i586 - zarafa-spooler-7.1.11-1.mga4.i586 - zarafa-utils-7.1.11-1.mga4.i586 - zarafa-webaccess-7.1.11-1.mga4.noarch - libzarafa0-7.1.11-1.mga4.i586 Could not start zarafa-server From comment 35 in https://bugs.mageia.org/show_bug.cgi?id=12813#c35 edited /etc/zarafa/server.cfg to add the mysql root password then # systemctl start zarafa-server # systemctl status -l zarafa-server zarafa-server.service - LSB: Zarafa Collaboration Platform's Storage Server Loaded: loaded (/etc/rc.d/init.d/zarafa-server) Active: active (running) since mar. 2015-01-27 18:19:28 CET; 9s ago Could add a user following same comment. Browsed to : http://localhost/webaccess which gave : Accès interdit! Vous n'avez pas le droit d'accéder à l'objet demandé. Soit celui-ci est protégé, soit il ne peut être lu par le serveur. Si vous pensez qu'il s'agit d'une erreur du serveur, veuillez contacter le webmestre. Error 403 localhost which is bug 14107. Could start zarafa-dagent, zarafa-gateway, zarafa-ical, zarafa-monitor, zarafa-spooler services which were all shown running. Stopped all zarafa services. Updated to testing packages : --------------------------- - libzarafa0-7.1.11-1.1.mga4.i586 - zarafa-7.1.11-1.1.mga4.i586 - zarafa-archiver-7.1.11-1.1.mga4.i586 - zarafa-caldav-7.1.11-1.1.mga4.i586 - zarafa-client-7.1.11-1.1.mga4.i586 - zarafa-common-7.1.11-1.1.mga4.i586 - zarafa-dagent-7.1.11-1.1.mga4.i586 - zarafa-gateway-7.1.11-1.1.mga4.i586 - zarafa-ical-7.1.11-1.1.mga4.i586 - zarafa-indexer-7.1.11-1.1.mga4.i586 - zarafa-monitor-7.1.11-1.1.mga4.i586 - zarafa-server-7.1.11-1.1.mga4.i586 - zarafa-spooler-7.1.11-1.1.mga4.i586 - zarafa-utils-7.1.11-1.1.mga4.i586 - zarafa-webaccess-7.1.11-1.1.mga4.noarch which brought along : - php-mapi-7.1.11-1.1.mga4.i586 Could start zarafa-server and the other zarafa services. As expected reading comment 9, bug 14107 not being fixed, http://localhost/webaccess gave same Error 403. Stuck here.
CC: (none) => olchal
MGA4-64 on HP Probook 6555b. No installation issues, BUT from CLI: systemctl start zarafa-server Job for zarafa-server.service failed. See 'systemctl status zarafa-server.service' and 'journalctl -xn' for details. so I did systemctl status zarafa-server.service zarafa-server.service - LSB: Zarafa Collaboration Platform's Storage Server Loaded: loaded (/etc/rc.d/init.d/zarafa-server) Active: failed (Result: exit-code) since Wed 2015-01-28 15:05:16 CET; 12s ago Process: 32641 ExecStart=/etc/rc.d/init.d/zarafa-server start (code=exited, status=255) Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Zarafa Collaboration Platform's Storage Server... Jan 28 15:05:16 mach5.hviaene.thuis zarafa-server[32641]: Starting zarafa-server: [FAILED] Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: zarafa-server.service: control process exited, code=exited status=255 Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Failed to start LSB: Zarafa Collaboration Platform's Storage Server. Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Unit zarafa-server.service entered failed state. and journalctl -xn -- Logs begin at Thu 2014-12-04 15:40:47 CET, end at Wed 2015-01-28 15:05:16 CET. -- Jan 28 15:04:12 mach5.hviaene.thuis drakrpm[32004]: [RPM] zarafa-archiver-7.1.11-1.1.mga4.x86_64 installed Jan 28 15:04:31 mach5.hviaene.thuis drakrpm[32004]: opening the RPM database Jan 28 15:05:11 mach5.hviaene.thuis su[32577]: pam_tcb(su-l:auth): Authentication passed for root from tester4(uid=500) Jan 28 15:05:11 mach5.hviaene.thuis su[32577]: (to root) tester4 on pts/5 Jan 28 15:05:11 mach5.hviaene.thuis su[32577]: pam_tcb(su-l:session): Session opened for root by tester4(uid=500) Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Starting LSB: Zarafa Collaboration Platform's Storage Server... -- Subject: Unit zarafa-server.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit zarafa-server.service has begun starting up. Jan 28 15:05:16 mach5.hviaene.thuis zarafa-server[32641]: Starting zarafa-server: [FAILED] Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: zarafa-server.service: control process exited, code=exited status=255 Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Failed to start LSB: Zarafa Collaboration Platform's Storage Server. -- Subject: Unit zarafa-server.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit zarafa-server.service has failed. -- -- The result is failed. Jan 28 15:05:16 mach5.hviaene.thuis systemd[1]: Unit zarafa-server.service entered failed state.
CC: (none) => herman.viaene
Can you do "grep ^log_method /etc/zarafa/server.cfg", please? By default the upstream Zarafa logs into file "/var/log/zarafa/server.log" which should tell more about the cause (e.g. misconfiguration).
Forgot one line from Olivier's comment "edited /etc/zarafa/server.cfg to add the mysql root password". After that the zarafa server starts OK. But the same error 403 at http://localhost/webaccess
You need something like <IfModule mod_authz_core.c> Require all granted </IfModule> for Apache 2.4. I do not know where to find the Mageia SCM to cross-check, but something like the following should help: http://pkgs.fedoraproject.org/cgit/zarafa.git/tree/zarafa-webaccess.conf?id=2fe388869b31fa6faf57daead3083d8bb95bdc4d
Here's ours: http://svnweb.mageia.org/packages/updates/4/zarafa/current/SOURCES/zarafa-webaccess.conf?revision=573266&view=markup (replace updates/4 with cauldron if you want the development branch, in general. You won't find zarafa there since we removed it)
(In reply to Robert Scheck from comment #14) > You need something like > > <IfModule mod_authz_core.c> > Require all granted > </IfModule> > Added that lines to /etc/httpd/conf/sites.d/zarafa-webaccess.conf and restarted httpd It now gives a blank page and this error in /var/log/http/access_log : 127.0.0.1 - - [28/Jan/2015:20:58:24 +0100] "GET /webaccess/ HTTP/1.1" 500 - "-" "Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0" which is indeed bug 14107 still not fixed.
Thanks Olivier. Without bug 14107 being fixed we have no real way to test this beyond https://bugs.mageia.org/show_bug.cgi?id=13822#c15 Do we push it again this way or can this be fixed with this update? Adding feedback marker
Whiteboard: (none) => feedback
Created attachment 5846 [details] Patch suggestion for SOURCES/zarafa-webaccess.conf
Created attachment 5847 [details] Patch suggestion for SPECS/zarafa.spec
Created attachment 5848 [details] New file suggestion for SOURCES/zarafa-7.1.11-php-unbundle.patch
Above three patches should solve all reported issues that I was able to find on this bugtracker. However given that I am not a Mageia user these might not be perfect, but please let me know if I can provide some more help. Patches are diffs against http://svnweb.mageia.org/packages/updates/4/zarafa/current/
(In reply to claire robinson from comment #17) > Thanks Olivier. > > Without bug 14107 being fixed we have no real way to test this beyond > https://bugs.mageia.org/show_bug.cgi?id=13822#c15 > > Do we push it again this way or can this be fixed with this update? > > Adding feedback marker This is a security update. So let's push this and then we fix the rest. Since there haven't been any bug-reports except the security issue and the one from QA, I expect nobody is using zarafa from Mageia. I think I imported it because it was needed by the very old version of kolab. BTW, you don't have php-apc installed, that may turn into a well hidden segfault.
Given that someone has taken the time to contribute proposed fixes, if they actually fix the problems, what's the harm in applying them? This security issue affects exactly the component that's broken, so there may not be a lot of use to the fix for it by itself. Ultimately it's up to you, those are just my thoughts.
I incorporated Robert Scheck's patches that should fix bug #14107 as well. Thanks Robert for your efforts. I have not tested them as my virtual box doesn't have enough resources. The following packages are now in updates_testing: zarafa-7.1.11-1.2.mga4.src.rpm zarafa-7.1.11-1.2.mga4.i586.rpm zarafa-archiver-7.1.11-1.2.mga4.i586.rpm zarafa-caldav-7.1.11-1.2.mga4.i586.rpm zarafa-client-7.1.11-1.2.mga4.i586.rpm zarafa-common-7.1.11-1.2.mga4.i586.rpm zarafa-dagent-7.1.11-1.2.mga4.i586.rpm zarafa-gateway-7.1.11-1.2.mga4.i586.rpm zarafa-ical-7.1.11-1.2.mga4.i586.rpm zarafa-indexer-7.1.11-1.2.mga4.i586.rpm zarafa-monitor-7.1.11-1.2.mga4.i586.rpm zarafa-server-7.1.11-1.2.mga4.i586.rpm zarafa-spooler-7.1.11-1.2.mga4.i586.rpm zarafa-utils-7.1.11-1.2.mga4.i586.rpm zarafa-webaccess-7.1.11-1.2.mga4.noarch.rpm libzarafa-devel-7.1.11-1.2.mga4.i586.rpm libzarafa0-7.1.11-1.2.mga4.i586.rpm and corresponding x86_64 packages
Thank you Robert and Thomas. Removing the feedback marker now.
Whiteboard: feedback => (none)
Testing on Mageia4x32, real hardware Updated to last testing packages : -------------------------------- - zarafa-7.1.11-1.2.mga4.i586 - zarafa-archiver-7.1.11-1.2.mga4.i586 - zarafa-caldav-7.1.11-1.2.mga4.i586 - zarafa-client-7.1.11-1.2.mga4.i586 - zarafa-common-7.1.11-1.2.mga4.i586 - zarafa-dagent-7.1.11-1.2.mga4.i586 - zarafa-gateway-7.1.11-1.2.mga4.i586 - zarafa-ical-7.1.11-1.2.mga4.i586 - zarafa-indexer-7.1.11-1.2.mga4.i586 - zarafa-monitor-7.1.11-1.2.mga4.i586 - zarafa-server-7.1.11-1.2.mga4.i586 - zarafa-spooler-7.1.11-1.2.mga4.i586 - zarafa-utils-7.1.11-1.2.mga4.i586 - zarafa-webaccess-7.1.11-1.2.mga4.noarch - libzarafa0-7.1.11-1.2.mga4.i586 That installed quite a few php-pear packets (+php-mapi and php-channel) Enabled all zarafa services Rebooted. All services were running at startup (zafafa-server, zarafa-dagent, zarafa-gateway, zarafa-ical, zarafa-monitor, zarafa-spooler) Browsed to : http://localhost/webaccess which brought me to zarafa-webacces logon page (well done Robert and Thomas!) Could log in with user previously set, and choose French language. That opened a nice interface, with email client, calendar ... Could add a contact, a new appointment, a task (which afterwards sent me regular alerts until I marked it completed), could change some settings, log out an back in. According to my testing, updated testing packages resolve bug 14107 on top of current bug. Well done then.
Whiteboard: (none) => MGA4-32-OK
Thanks Olivier. Just a question; do you ave access to a windows box with MS Outlook to test zarafa. It's supposed to provide support, I believe up to 5 users. This could be done after the security update has been released.
(In reply to Thomas Spuhler from comment #27) > Thanks Olivier. Just a question; do you ave access to a windows box with MS > Outlook to test zarafa. It's supposed to provide support, I believe up to 5 > users. To use the 3 free Outlook users, you need the proprietary zarafa-licensed.
(In reply to Robert Scheck from comment #28) > (In reply to Thomas Spuhler from comment #27) > > Thanks Olivier. Just a question; do you ave access to a windows box with MS > > Outlook to test zarafa. It's supposed to provide support, I believe up to 5 > > users. > > To use the 3 free Outlook users, you need the proprietary zarafa-licensed. Thanks for clarification.
Sorry, no Windows nor zarafa licence here.
Testing on Mageia4x64, real hardware following the same procedure than in comment 10 and comment 26 From current packages : --------------------- - lib64zarafa0-7.1.11-1.mga4.x86_64 - zarafa-7.1.11-1.mga4.x86_64 - zarafa-archiver-7.1.11-1.mga4.x86_64 - zarafa-caldav-7.1.11-1.mga4.x86_64 - zarafa-client-7.1.11-1.mga4.x86_64 - zarafa-dagent-7.1.11-1.mga4.x86_64 - zarafa-gateway-7.1.11-1.mga4.x86_64 - zarafa-ical-7.1.11-1.mga4.x86_64 - zarafa-monitor-7.1.11-1.mga4.x86_64 - zarafa-server-7.1.11-1.mga4.x86_64 - zarafa-spooler-7.1.11-1.mga4.x86_64 - zarafa-utils-7.1.11-1.mga4.x86_64 - zarafa-webaccess-7.1.11-1.mga4.noarch No trouble during installation, could start all zarafa services and add a user but encountered expected error 403 with zarafa-webaccess. Stopped all services. To updated testing packages : --------------------------- - lib64zarafa0-7.1.11-1.2.mga4.x86_64 - zarafa-7.1.11-1.2.mga4.x86_64 - zarafa-archiver-7.1.11-1.2.mga4.x86_64 - zarafa-caldav-7.1.11-1.2.mga4.x86_64 - zarafa-client-7.1.11-1.2.mga4.x86_64 - zarafa-common-7.1.11-1.2.mga4.x86_64 - zarafa-dagent-7.1.11-1.2.mga4.x86_64 - zarafa-gateway-7.1.11-1.2.mga4.x86_64 - zarafa-ical-7.1.11-1.2.mga4.x86_64 - zarafa-indexer-7.1.11-1.2.mga4.x86_64 - zarafa-monitor-7.1.11-1.2.mga4.x86_64 - zarafa-server-7.1.11-1.2.mga4.x86_64 - zarafa-spooler-7.1.11-1.2.mga4.x86_64 - zarafa-utils-7.1.11-1.2.mga4.x86_64 - zarafa-webaccess-7.1.11-1.2.mga4.noarch which brought along : - php-mapi-7.1.11-1.2.mga4.x86_64 - php-pear-XML_Parser-1.3.4-3.mga4.noarch - php-pear-XML_Serializer-0.20.2-6.mga4.noarch Installation OK, could restart all services, could log in zarafa-webaccess with user previously set, could add contacts, tasks (which sent me reminders), addresses, change some parameters, log out and back in... All OK
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
Well done everybody and a special thankyou to Robert. Validating. Advisory uploaded. Could sysadmin please push to 4 updates Thanks
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0049.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
URL: http://security.robert-scheck.de/cve-2014-9465-zarafa/ => http://lwn.net/Vulnerabilities/632257/