On Fri, October 15, 2021 2:36 pm, James B. Byrne wrote: > n Thu, October 14, 2021 18:09, Paul Lesniewski wrote: >> On Thu, October 14, 2021 7:28 pm, James B. Byrne via squirrelmail-users >> wrote: >>> See: https://nvd.nist.gov/vuln/detail/CVE-2020-14933#match-5399106 >>> >>> Has this been patched? >> >> There is no vulnerability here. Per OWASP: >> >> https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection >> >> ===== >> In order to successfully exploit a PHP Object Injection vulnerability >> two >> conditions must be met: >> >> The application must have a class which implements a PHP magic method >> (such as __wakeup or __destruct) that can be used to carry out malicious >> attacks, or to start a â�œPOP chainâ�. >> All of the classes used during the attack must be declared when the >> vulnerable unserialize() is being called, otherwise object autoloading >> must be supported for such classes. >> ===== >> >> SquirrelMail doesn't qualify for that scenario. Whoever >> accepted/assigned >> this CVE seems to have only taken the word of the reporter, who has no >> proof that I know of that there is any security issue. If anyone knows >> differently, please get in touch. >> >> I'll put something on our /security page to reflect the situation. >> >> Cheers, > > My problem is that I am in the midst of a PCI audit; and we use > SquirrelMail; > and this CVE is an issue with them. I doubt that either I or anyone else > can > convince the auditors to ignore what is on the NIST website identified as > a > Critical error respecting SM. That said, I will show them your response. > One > never knows what can happen when dealing with people having much authority > and > little knowledge. > > I checked some Linux distros and the seem to have issued some sort of > patch to > deal with this. I have seen a request made to the FreeBSD bug tracker to > deal > with this as well. > > I need something done to address this CVE, either by having it removed > from > NIST as invalid or through some sort of patch, meaningless or not, that > convinces NIST that the issue is resolved. That probably requires a new > CPE, > and that will no doubt require the FreeBSD port maintainer to issue a > version > upgrade. Otherwise I am going to be forced into an unwanted, and > evidently > unnecessary, migration. For which I have neither the time nor resources > to > effect. This was on my radar, but given your situation, I went ahead and contacted both NIST and MITRE just now. If you have the FreeBSD maintainer's contact info, I can work with that person too, but I don't understand what you need from that person? Maybe you want them to invalidate/reject the ticket on their bug tracker? -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
