Bug 264523 - mail/horde-turba: Update to 4.2.29 (4.2.26 fixes RCE security vulnerability: CVE-2022-30287)
Summary: mail/horde-turba: Update to 4.2.29 (4.2.26 fixes RCE security vulnerability: ...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: horde
URL: https://github.com/horde/turba/blob/v...
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2022-06-07 16:12 UTC by Thierry Thomas
Modified: 2022-10-14 11:32 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (horde)
koobs: merge-quarterly?

Attachments
Upgrade Turba to 4.2.27 and fix a vulnerability (1.38 KB, patch)
2022-06-07 16:12 UTC, Thierry Thomas 		no flags Details | Diff
Upgrade to 4.2.28 (2.55 KB, patch)
2022-06-14 17:41 UTC, Thierry Thomas 		no flags Details | Diff
Upgrade to v4.2.29 to fix CVE-2022-30287 (1.42 KB, patch)
2022-06-19 09:26 UTC, Thierry Thomas 		thierry: maintainer-approval+
Details | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Thomas freebsd_committer freebsd_triage 2022-06-07 16:12:10 UTC 
Created attachment 234527 [details]
Upgrade Turba to 4.2.27 and fix a vulnerability

Fix remote code execution by an unserialization attack (CVE-2022-30287).

Changelog at
<https://github.com/horde/turba/blob/f16608bfa3e9a15817cc4ed2be9f3a0136ff338f/docs/CHANGES>

Note: an entry for vuxml has been proposed in PR 264437.
Comment 1 Thierry Thomas freebsd_committer freebsd_triage 2022-06-14 17:41:57 UTC 
Created attachment 234685 [details]
Upgrade to 4.2.28

Yet another minor update after the security fix.
Comment 2 Thierry Thomas freebsd_committer freebsd_triage 2022-06-19 09:26:24 UTC 
Created attachment 234777 [details]
Upgrade to v4.2.29 to fix CVE-2022-30287

Fix remote code execution by an unserialization attack (CVE-2022-30287)

Changelog at <https://github.com/horde/turba/blob/v4.2.29/docs/CHANGES>.
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-06-19 09:28:28 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=455e2b036ddbbee8a84c70d51a7e8a34f3e0ec41

commit 455e2b036ddbbee8a84c70d51a7e8a34f3e0ec41
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2022-06-07 12:38:03 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2022-06-19 09:21:07 +0000

    mail/horde-turba: upgrade Turba to 4.2.29 and fix a vulnerability

    Fix remote code execution by an unserialization attack (CVE-2022-30287)

    Changelog at <https://github.com/horde/turba/blob/v4.2.29/docs/CHANGES>.

    Security:       CVE-2022-30287

    PR:             264523
    Approved by:    horde (maintainer) and ports-secteam time-out

 mail/horde-turba/Makefile | 2 +-
 mail/horde-turba/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 4 Thierry Thomas freebsd_committer freebsd_triage 2022-06-19 09:29:52 UTC 
Committed, after maintainer’s time-out.