Bug 264523

Summary: mail/horde-turba: Update to 4.2.29 (4.2.26 fixes RCE security vulnerability: CVE-2022-30287)
Product: Ports & Packages Reporter: Thierry Thomas <thierry>
Component: Individual Port(s)Assignee: horde
Status: Closed FIXED    
Severity: Affects Many People CC: freebsdbugs, ports-secteam, thierry
Priority: Normal Keywords: needs-qa, security
Version: LatestFlags: bugzilla: maintainer-feedback? (horde)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://github.com/horde/turba/blob/v4.2.28/docs/CHANGES
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264437
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267049
Attachments:
Description Flags
Upgrade Turba to 4.2.27 and fix a vulnerability
none
Upgrade to 4.2.28
none
Upgrade to v4.2.29 to fix CVE-2022-30287 thierry: maintainer-approval+

Description Thierry Thomas freebsd_committer freebsd_triage 2022-06-07 16:12:10 UTC 
Created attachment 234527 [details]
Upgrade Turba to 4.2.27 and fix a vulnerability

Fix remote code execution by an unserialization attack (CVE-2022-30287).

Changelog at
<https://github.com/horde/turba/blob/f16608bfa3e9a15817cc4ed2be9f3a0136ff338f/docs/CHANGES>

Note: an entry for vuxml has been proposed in PR 264437.
Comment 1 Thierry Thomas freebsd_committer freebsd_triage 2022-06-14 17:41:57 UTC 
Created attachment 234685 [details]
Upgrade to 4.2.28

Yet another minor update after the security fix.
Comment 2 Thierry Thomas freebsd_committer freebsd_triage 2022-06-19 09:26:24 UTC 
Created attachment 234777 [details]
Upgrade to v4.2.29 to fix CVE-2022-30287

Fix remote code execution by an unserialization attack (CVE-2022-30287)

Changelog at <https://github.com/horde/turba/blob/v4.2.29/docs/CHANGES>.
Comment 3 commit-hook freebsd_committer freebsd_triage 2022-06-19 09:28:28 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=455e2b036ddbbee8a84c70d51a7e8a34f3e0ec41

commit 455e2b036ddbbee8a84c70d51a7e8a34f3e0ec41
Author:     Thierry Thomas <thierry@FreeBSD.org>
AuthorDate: 2022-06-07 12:38:03 +0000
Commit:     Thierry Thomas <thierry@FreeBSD.org>
CommitDate: 2022-06-19 09:21:07 +0000

    mail/horde-turba: upgrade Turba to 4.2.29 and fix a vulnerability

    Fix remote code execution by an unserialization attack (CVE-2022-30287)

    Changelog at <https://github.com/horde/turba/blob/v4.2.29/docs/CHANGES>.

    Security:       CVE-2022-30287

    PR:             264523
    Approved by:    horde (maintainer) and ports-secteam time-out

 mail/horde-turba/Makefile | 2 +-
 mail/horde-turba/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 4 Thierry Thomas freebsd_committer freebsd_triage 2022-06-19 09:29:52 UTC 
Committed, after maintainer’s time-out.