Debian has issued an advisory on June 3: http://www.debian.org/security/2012/dsa-2485 The referenced Debian bug has a patch for horde-imp 4.3.7, which we have. horde-imp is not packaged for Mageia 2 or Cauldron, so they are not affected.
CC: (none) => thomas
Patched package uploaded. Advisory: ======================== Updated horde-imp package fixes security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities were discovered in IMP, the webmail component in the Horde framework. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various crafted parameters (CVE-2012-0791). Please note that this package is no longer available in Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791 http://www.debian.org/security/2012/dsa-2485 ======================== Updated packages in core/updates_testing: ======================== horde-imp-4.3.7-1.1.mga1 from horde-imp-4.3.7-1.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
I'm not sure how to test this one. If I go to https://127.0.0.1/horde/imp I get the login screen. I have dovecot installed and a working imap account, but the login is rejected with username or password incorrect. I don't see anything in the log files. How do I get horde-imp to pass the login to dovecot, or am I mis-understanding how it should work?
CC: (none) => davidwhodgins
Ignore comment 2. Figured out I have to edit /etc/horde/imp/servers.php However, after editing that file, when I login, it takes me to http://127.0.0.1/horde/imp/redirect.php which is a blank page. If I then replace the address in the url with http://127.0.0.1/horde/imp/ I then find I am logged in, and can see the messages in the inbox.
CC: (none) => stormiWhiteboard: (none) => has_procedure
Dave, does comment #3 mean that it's ok on your i586 box and that we can follow the same steps on x86_64, or is testing still in progress for this one?
Testing is still in progress. I have to go back to the release version to see if the problem I encountered in comment 3 is a regression or not.
Whiteboard: has_procedure => (none)
Testing Mageia 1 x86-64 now. This time, I'm starting with the Core Release version, and will sort out the configuration to get that working, before I install the update.
According to /usr/share/doc/horde/README.mdv, I should be able to configure horde, and then horde-imp using it's web interface. I have created the mysql database/user as per /usr/share/horde/scripts/SCRIPTS and run the set_perms.sh script, but I'm getting 403 access denied when I try going to https://127.0.0.1/horde The ssl_error_log shows client denied by server configuration: /usr/share/horde Any suggestions?
Whiteboard: (none) => feedback
I've just discovered that OpenSuSE issued an advisory for this on February 20: http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html They also updated the horde-dimp package, which we also have. It looks like they just updated it rather than patching. Thomas, maybe you can have a look?
CC: (none) => qa-bugsAssignee: qa-bugs => thomasWhiteboard: feedback => (none)
OpenSuSE also issued an advisory for horde itself on February 20: http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html They fixed that by upgrading it to 3.3.13.
Let's do the same, update to 3.3.13. I will work on this soon.
Status: NEW => ASSIGNED
horde-3.3.13 horde-dimp-1.1.8 horde-imp-4.3.11 are in upgrade testing. I have no set-up to do the test.
Thanks Thomas! Full package names (RPMs and SRPMs) are: horde-3.3.13-1.mga1 horde-imp-4.3.11-1.1.mga1 horde-dimp-1.1.8-1.mga1 Advisory: ======================== Updated horde, horde-imp, horde-dimp packages fix security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities were discovered in IMP, the webmail component in the Horde framework. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various crafted parameters (CVE-2012-0791). Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupware Webmail Edition before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to email verification (CVE-2012-0909). Please note that these packages are no longer available in Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909 http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html http://www.debian.org/security/2012/dsa-2485
CC: qa-bugs => (none)Assignee: thomas => qa-bugs
Summary: horde-imp new security issue CVE-2012-0791 => horde, horde-imp, horde-dimp new security issues CVE-2012-0791 and CVE-2012-0909
Thomas, any suggestion for comment #7?
Created attachment 2642 [details] Errors displayed when accesss https://127.0.0.1/horde/ I've managed to get a bit farther by replacing /etc/php.ini with /usr/share/doc/php-doc/php.ini-development and changing all directories defined in /etc/httpd/conf/webapps.d/horde.conf to Allow from all. The attached file shows the errors now being displayed. php-pear-PHPUnit-3.3.17-3.mga1 is installed.
I discovered two more CVEs that will be fixed by this horde update. Debian has issued an advisory on July 16, 2011: http://www.debian.org/security/2011/dsa-2278 This fixes the following issues that were fixed upstream in 3.3.9. Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter (CVE-2010-3077). Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form (CVE-2010-3694). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3694 http://www.debian.org/security/2011/dsa-2278 from http://lwn.net/Vulnerabilities/413565/ I'll update the advisory once the other issues are sorted out.
Found another CVE that will be fixed by this horde-imp update. Debian has issued an advisory on March 27, 2011: http://www.debian.org/security/2011/dsa-2204 This fixes the following issue that was fixed upstream in 4.3.8. Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration (CVE-2010-3695). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695 http://www.debian.org/security/2011/dsa-2204 from http://lwn.net/Vulnerabilities/435711/
Created attachment 2665 [details] urpmi --debug log Sorry for the delay getting back to this. I misread the latest comments and thought there was a new update in progress. Trying to install the latest version fails, as there are new requires, one of which is not satisfied (/usr/bin/php), though I don't understand why the php-cli package doesn't satisfy it.
(In reply to comment #17) > Trying to install the latest version fails, as there are new requires, one > of which is not satisfied (/usr/bin/php), though I don't understand why > the php-cli package doesn't satisfy it. That's a strange issue that's affected other things too, but I don't consider it to be a package issue. Let's not block an update just for that. What are other issues are there? Is Comment 7 still relevant?
To comment 7: I don't know why, but you need to change /etc/httpd/conf/webapps.d/horde.conf <Allow from localhost> to <Allow from 127.0.0.1> and it will work. I could change this and submit a horde update. But so far nobody else has submitted a bug, so I am not sure about the merit of doing it. This is not a regression
Whiteboard: feedback => (none)
Testing complete on Mageia 1 i586 for the srpms horde-3.3.13-1.mga1.src.rpm horde-imp-4.3.11-1.1.mga1.src.rpm horde-dimp-1.1.8-1.mga1.src.rpm In addition to editing /etc/httpd/conf/webapps.d/horde.conf, to get it to work, I had to create the following symlinks ... /etc/horde/lib -> /usr/share/horde/gollem/lib/ /usr/share/horde/lib/PEAR.php -> /usr/share/pear/PEAR.php /usr/share/horde/lib/Gollem.php -> /usr/share/horde/gollem/lib/Gollem.php /usr/share/horde/lib/Log.php -> Horde/Log.php There are probably other/better ways to get it to work, such as changing the search paths in the config files, but this worked for me. Then using http://127.0.0.1/horde/admin/setup, I was able to get things setup, to the point dovecot log shows a successful login, even though I'm still getting a login error from horde. While it's still not working properly for me, I think it's a configuration problem only.
Whiteboard: (none) => MGA1-32-OK
Testing complete on Mageia 1 x86-64. Could someone from the sysadmin team push the srpms horde-3.3.13-1.mga1.src.rpm horde-imp-4.3.11-1.1.mga1.src.rpm horde-dimp-1.1.8-1.mga1.src.rpm from Mageia 1 Core Updates testing to Core Updates and link the following packages from Core Updates to Core Release php-pear-Auth_SASL-1.0.4-2.mga1 (Core 32bit Release (distrib31)) php-pear-Auth_SASL-1.0.4-2.mga1 (Core Release (distrib1)) php-pear-Benchmark-1.2.8-1.mga1 (Core 32bit Release (distrib31)) php-pear-Benchmark-1.2.8-1.mga1 (Core Release (distrib1)) Advisory: Updated horde, horde-imp, horde-dimp packages fix security vulnerabilities: Multiple cross-site scripting (XSS) vulnerabilities were discovered in IMP, the webmail component in the Horde framework. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various crafted parameters (CVE-2012-0791). Cross-site scripting (XSS) vulnerability in Horde_Form in Horde Groupware Webmail Edition before 4.0.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to email verification (CVE-2012-0909). Cross-site scripting (XSS) vulnerability in util/icon_browser.php in the Horde Application Framework before 3.3.9 allows remote attackers to inject arbitrary web script or HTML via the subdir parameter (CVE-2010-3077). Cross-site request forgery (CSRF) vulnerability in the Horde Application Framework before 3.3.9 allows remote attackers to hijack the authentication of unspecified victims for requests to a preference form (CVE-2010-3694). Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration (CVE-2010-3695). Please note that these packages are no longer available in Mageia 2. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0791 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0909 http://lists.opensuse.org/opensuse-updates/2012-02/msg00054.html http://lists.opensuse.org/opensuse-updates/2012-02/msg00055.html http://www.debian.org/security/2012/dsa-2485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3694 http://www.debian.org/security/2011/dsa-2278 http://lwn.net/Vulnerabilities/413565/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3695 http://www.debian.org/security/2011/dsa-2204 http://lwn.net/Vulnerabilities/435711/ https://bugs.mageia.org/show_bug.cgi?id=6603
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0239
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED