Mailing List Archive

[DAViCal-devel] davical_1.1.5-1+deb9u1 -- potentially breaks web interface-configuration
Dear all

On Debian 9.11, since upgrading to latest davical 1.1.5-1+deb9u1
package, the web-interface breaks due to not finding awl's Session (I
assume).

Error Message

> Exception [0] Call to undefined method DAViCalSession::Session()
> At line 64 of /usr/share/davical/inc/DAViCalSession.php
> ================= Stack Trace ===================
> /usr/share/davical/htdocs/index.php[11] include()
> /usr/share/davical/inc/DAViCalSession.php[189] DAViCalSession->__construct()

Installed packages:

>
> c0srv4:~!59> dpkg -l davical libawl-php
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name???????????????????? Version?????????? Architecture?????
> Description
> +++-========================-=================-=================-=====================================================
> ii? davical????????????????? 1.1.5-1+deb9u1??? all?????????????? PHP
> CalDAV and CardDAV Server
> ii? libawl-php?????????????? 0.57-1??????????? all??????????????
> Andrew's Web Libraries - PHP Utility Libraries
> c0srv4:~!60> cat /etc/debian_version
> 9.11

The apache config has not been touched with the relevant sections:

> ??? ??? AcceptPathInfo On
> ??????? php_value include_path? /usr/share/awl/inc:/usr/share/davical/inc
> ??????? php_value magic_quotes_gpc????????????????????? 0
> ??????? php_value magic_quotes_runtime? 0
> ??????? php_value register_globals????????????????????? 0
> ??????? php_value error_reporting?????????????????????????????? "E_ALL
> & ~E_NOTICE"
> ??????? php_value default_charset?????????????????????????????? "utf-8"
> ??????? php_admin_value open_basedir???
> /usr/share/davical/:/usr/share/awl/inc/:/etc/davical/
> ??????? php_admin_flag suhosin.server.strip off
> ??????? php_value magic_quotes_runtime 0

Any idea what I could be missing?

Thanks in advance.

Best regards

Lukas

-------- Forwarded Message --------
Subject: ?? ?[DAViCal-devel] davical_1.1.5-1+deb9u1_amd64.changes
ACCEPTED into oldstable-proposed-updates->oldstable-new
Date: ?? ?Fri, 13 Dec 2019 19:49:09 +0000
From: ?? ?Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: ?? ?Florian Schlichting <fsfs@debian.org>, Davical Development Team
<davical-devel@lists.sourceforge.net>



Mapping oldstable-security to oldstable-proposed-updates.

Accepted:

Format: 1.8
Date: Fri, 13 Dec 2019 07:59:08 +0800
Source: davical
Binary: davical davical-doc
Architecture: source all
Version: 1.1.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
Changed-By: Florian Schlichting <fsfs@debian.org>
Description:
davical - PHP CalDAV and CardDAV Server
davical-doc - PHP CalDAV and CardDAV Server - technical documentation
Closes: 946343
Changes:
davical (1.1.5-1+deb9u1) stretch-security; urgency=high
.
* Fix three cross-site scripting and cross-site request forgery
vulnerabilities in the web administration front-end:
CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343)
Checksums-Sha1:
be8a9a6d998bb06a42d7a64439a1fd844e4d00f0 2104 davical_1.1.5-1+deb9u1.dsc
357706817c857d8ab8216254a5458e1535d775b1 1319316 davical_1.1.5.orig.tar.xz
d291ad9deca7786db586a3c9e37cc56605c1833a 15760
davical_1.1.5-1+deb9u1.debian.tar.xz
24ea22b1adf867e4d0016c012ea20e5da489c50f 1172980
davical-doc_1.1.5-1+deb9u1_all.deb
9e5d917669ec4eff23cf0afeceb937afe9be697f 393140
davical_1.1.5-1+deb9u1_all.deb
a8b82d80168986cc7a237c6e99de96c14057d4da 8046
davical_1.1.5-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
1ad235ab2b326dd44cc4c9ffef7cc58c369b2caecb61428938d1f272ce6a61f0 2104
davical_1.1.5-1+deb9u1.dsc
667583fb345612b8c9bd67ebfc1ef5e154fb5494a75d67ec347842c1257f238f 1319316
davical_1.1.5.orig.tar.xz
306ddbc596e0b34db22d7d7c611fba480aaadd773f802345dd4d2e907f665f2f 15760
davical_1.1.5-1+deb9u1.debian.tar.xz
b2eee935f9407ef367c9352e306e8276ae40768eaf55009dcd06adc530832044 1172980
davical-doc_1.1.5-1+deb9u1_all.deb
9d3db83e7c6cc21e73c105e24cb1d5aac4c940035894cde83034dee50eaa6401 393140
davical_1.1.5-1+deb9u1_all.deb
1bd167b1419ddc8282750a66ef478bd9f7d314ae2dc86899fec062a71f9ef402 8046
davical_1.1.5-1+deb9u1_amd64.buildinfo
Files:
7eae266d4189c9b79d3f60d625a8319a 2104 web extra davical_1.1.5-1+deb9u1.dsc
7ad2418159cb205457db16326116bef0 1319316 web extra davical_1.1.5.orig.tar.xz
8920076f8954785ed07d42d81637b78b 15760 web extra
davical_1.1.5-1+deb9u1.debian.tar.xz
44a25310e4e0f83c51196e6b974a7820 1172980 doc extra
davical-doc_1.1.5-1+deb9u1_all.deb
76c688d0addb3cfea69cd4bcc8019890 393140 web extra
davical_1.1.5-1+deb9u1_all.deb
11cb1b5108ed76f8c9d3a56821965990 8046 web extra
davical_1.1.5-1+deb9u1_amd64.buildinfo



Thank you for your contribution to Debian.


_______________________________________________
DAViCal-devel mailing list
DAViCal-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/davical-devel
Re: [DAViCal-devel] davical_1.1.5-1+deb9u1 -- potentially breaks web interface-configuration [ In reply to ]
Hi Lukas,

this sounds worrying, but are you sure you were using the pristine
Debian package before? I think you must have had applied
https://gitlab.com/davical-project/davical/commit/40e2714adf96fe8bd549b90182de75fade27c897
or used the backports package (which isn't updated yet).

I'm sorry I forgot that the entire web-interface is dysfunctional in
Debian 9, I could have tried to get that fix in with the Security
update, or if there's popular demand work on an oldstable update. But
what I'd really suggest is upgrading to the latest versions od davical
and awl, which contain many many fixes to small-ish issues...

Florian


On Tue, Dec 17, 2019 at 10:52:27PM +0100, Lukas Ruf wrote:
> Dear all
>
> On Debian 9.11, since upgrading to latest davical 1.1.5-1+deb9u1
> package, the web-interface breaks due to not finding awl's Session (I
> assume).
>
> Error Message
>
> > Exception [0] Call to undefined method DAViCalSession::Session()
> > At line 64 of /usr/share/davical/inc/DAViCalSession.php
> > ================= Stack Trace ===================
> > /usr/share/davical/htdocs/index.php[11] include()
> > /usr/share/davical/inc/DAViCalSession.php[189] DAViCalSession->__construct()
>
> Installed packages:
>
> >
> > c0srv4:~!59> dpkg -l davical libawl-php
> > Desired=Unknown/Install/Remove/Purge/Hold
> > |
> > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
> > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> > ||/ Name???????????????????? Version?????????? Architecture?????
> > Description
> > +++-========================-=================-=================-=====================================================
> > ii? davical????????????????? 1.1.5-1+deb9u1??? all?????????????? PHP
> > CalDAV and CardDAV Server
> > ii? libawl-php?????????????? 0.57-1??????????? all??????????????
> > Andrew's Web Libraries - PHP Utility Libraries
> > c0srv4:~!60> cat /etc/debian_version
> > 9.11
>
> The apache config has not been touched with the relevant sections:
>
> > ??? ??? AcceptPathInfo On
> > ??????? php_value include_path? /usr/share/awl/inc:/usr/share/davical/inc
> > ??????? php_value magic_quotes_gpc????????????????????? 0
> > ??????? php_value magic_quotes_runtime? 0
> > ??????? php_value register_globals????????????????????? 0
> > ??????? php_value error_reporting?????????????????????????????? "E_ALL
> > & ~E_NOTICE"
> > ??????? php_value default_charset?????????????????????????????? "utf-8"
> > ??????? php_admin_value open_basedir???
> > /usr/share/davical/:/usr/share/awl/inc/:/etc/davical/
> > ??????? php_admin_flag suhosin.server.strip off
> > ??????? php_value magic_quotes_runtime 0
>
> Any idea what I could be missing?
>
> Thanks in advance.
>
> Best regards
>
> Lukas
>
> -------- Forwarded Message --------
> Subject: ?? ?[DAViCal-devel] davical_1.1.5-1+deb9u1_amd64.changes
> ACCEPTED into oldstable-proposed-updates->oldstable-new
> Date: ?? ?Fri, 13 Dec 2019 19:49:09 +0000
> From: ?? ?Debian FTP Masters <ftpmaster@ftp-master.debian.org>
> To: ?? ?Florian Schlichting <fsfs@debian.org>, Davical Development Team
> <davical-devel@lists.sourceforge.net>
>
>
>
> Mapping oldstable-security to oldstable-proposed-updates.
>
> Accepted:
>
> Format: 1.8
> Date: Fri, 13 Dec 2019 07:59:08 +0800
> Source: davical
> Binary: davical davical-doc
> Architecture: source all
> Version: 1.1.5-1+deb9u1
> Distribution: stretch-security
> Urgency: high
> Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
> Changed-By: Florian Schlichting <fsfs@debian.org>
> Description:
> davical - PHP CalDAV and CardDAV Server
> davical-doc - PHP CalDAV and CardDAV Server - technical documentation
> Closes: 946343
> Changes:
> davical (1.1.5-1+deb9u1) stretch-security; urgency=high
> .
> * Fix three cross-site scripting and cross-site request forgery
> vulnerabilities in the web administration front-end:
> CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343)
> Checksums-Sha1:
> be8a9a6d998bb06a42d7a64439a1fd844e4d00f0 2104 davical_1.1.5-1+deb9u1.dsc
> 357706817c857d8ab8216254a5458e1535d775b1 1319316 davical_1.1.5.orig.tar.xz
> d291ad9deca7786db586a3c9e37cc56605c1833a 15760
> davical_1.1.5-1+deb9u1.debian.tar.xz
> 24ea22b1adf867e4d0016c012ea20e5da489c50f 1172980
> davical-doc_1.1.5-1+deb9u1_all.deb
> 9e5d917669ec4eff23cf0afeceb937afe9be697f 393140
> davical_1.1.5-1+deb9u1_all.deb
> a8b82d80168986cc7a237c6e99de96c14057d4da 8046
> davical_1.1.5-1+deb9u1_amd64.buildinfo
> Checksums-Sha256:
> 1ad235ab2b326dd44cc4c9ffef7cc58c369b2caecb61428938d1f272ce6a61f0 2104
> davical_1.1.5-1+deb9u1.dsc
> 667583fb345612b8c9bd67ebfc1ef5e154fb5494a75d67ec347842c1257f238f 1319316
> davical_1.1.5.orig.tar.xz
> 306ddbc596e0b34db22d7d7c611fba480aaadd773f802345dd4d2e907f665f2f 15760
> davical_1.1.5-1+deb9u1.debian.tar.xz
> b2eee935f9407ef367c9352e306e8276ae40768eaf55009dcd06adc530832044 1172980
> davical-doc_1.1.5-1+deb9u1_all.deb
> 9d3db83e7c6cc21e73c105e24cb1d5aac4c940035894cde83034dee50eaa6401 393140
> davical_1.1.5-1+deb9u1_all.deb
> 1bd167b1419ddc8282750a66ef478bd9f7d314ae2dc86899fec062a71f9ef402 8046
> davical_1.1.5-1+deb9u1_amd64.buildinfo
> Files:
> 7eae266d4189c9b79d3f60d625a8319a 2104 web extra davical_1.1.5-1+deb9u1.dsc
> 7ad2418159cb205457db16326116bef0 1319316 web extra davical_1.1.5.orig.tar.xz
> 8920076f8954785ed07d42d81637b78b 15760 web extra
> davical_1.1.5-1+deb9u1.debian.tar.xz
> 44a25310e4e0f83c51196e6b974a7820 1172980 doc extra
> davical-doc_1.1.5-1+deb9u1_all.deb
> 76c688d0addb3cfea69cd4bcc8019890 393140 web extra
> davical_1.1.5-1+deb9u1_all.deb
> 11cb1b5108ed76f8c9d3a56821965990 8046 web extra
> davical_1.1.5-1+deb9u1_amd64.buildinfo
>
>
>
> Thank you for your contribution to Debian.
>
>
> _______________________________________________
> DAViCal-devel mailing list
> DAViCal-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/davical-devel
>


> _______________________________________________
> Davical-general mailing list
> Davical-general@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/davical-general

Mit freundlichen Gr??en
Florian Schlichting

--
Florian Schlichting Freie Universit?t Berlin
Server Infrastructure (Linux) Zentraleinrichtung f?r Datenverarbeitung
Telefon: +49 30 838-55937 Fabeckstra?e 32
https://www.zedat.fu-berlin.de/ 14195 Berlin


_______________________________________________
Davical-general mailing list
Davical-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/davical-general
Re: [DAViCal-devel] davical_1.1.5-1+deb9u1 -- potentially breaks web interface-configuration [ In reply to ]
Salut Florian

Thank you for your reply and pardon my late reply.

I ended up with

??? apt-get install --reinstall davical libawl-php

and since then, the web-interface is working again.

Happy New Year!

Lukas

On 18.12.2019 03:25, Florian Schlichting wrote:

> Hi Lukas,
>
> this sounds worrying, but are you sure you were using the pristine
> Debian package before? I think you must have had applied
> https://gitlab.com/davical-project/davical/commit/40e2714adf96fe8bd549b90182de75fade27c897
> or used the backports package (which isn't updated yet).
>
> I'm sorry I forgot that the entire web-interface is dysfunctional in
> Debian 9, I could have tried to get that fix in with the Security
> update, or if there's popular demand work on an oldstable update. But
> what I'd really suggest is upgrading to the latest versions od davical
> and awl, which contain many many fixes to small-ish issues...
>
> Florian
>
>
> On Tue, Dec 17, 2019 at 10:52:27PM +0100, Lukas Ruf wrote:
>> Dear all
>>
>> On Debian 9.11, since upgrading to latest davical 1.1.5-1+deb9u1
>> package, the web-interface breaks due to not finding awl's Session (I
>> assume).
>>
>> Error Message
>>
>>> Exception [0] Call to undefined method DAViCalSession::Session()
>>> At line 64 of /usr/share/davical/inc/DAViCalSession.php
>>> ================= Stack Trace ===================
>>> /usr/share/davical/htdocs/index.php[11] include()
>>> /usr/share/davical/inc/DAViCalSession.php[189] DAViCalSession->__construct()
>> Installed packages:
>>
>>> c0srv4:~!59> dpkg -l davical libawl-php
>>> Desired=Unknown/Install/Remove/Purge/Hold
>>> |
>>> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
>>> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
>>> ||/ Name???????????????????? Version?????????? Architecture?????
>>> Description
>>> +++-========================-=================-=================-=====================================================
>>> ii? davical????????????????? 1.1.5-1+deb9u1??? all?????????????? PHP
>>> CalDAV and CardDAV Server
>>> ii? libawl-php?????????????? 0.57-1??????????? all??????????????
>>> Andrew's Web Libraries - PHP Utility Libraries
>>> c0srv4:~!60> cat /etc/debian_version
>>> 9.11
>> The apache config has not been touched with the relevant sections:
>>
>>> ??? ??? AcceptPathInfo On
>>> ??????? php_value include_path? /usr/share/awl/inc:/usr/share/davical/inc
>>> ??????? php_value magic_quotes_gpc????????????????????? 0
>>> ??????? php_value magic_quotes_runtime? 0
>>> ??????? php_value register_globals????????????????????? 0
>>> ??????? php_value error_reporting?????????????????????????????? "E_ALL
>>> & ~E_NOTICE"
>>> ??????? php_value default_charset?????????????????????????????? "utf-8"
>>> ??????? php_admin_value open_basedir???
>>> /usr/share/davical/:/usr/share/awl/inc/:/etc/davical/
>>> ??????? php_admin_flag suhosin.server.strip off
>>> ??????? php_value magic_quotes_runtime 0
>> Any idea what I could be missing?
>>
>> Thanks in advance.
>>
>> Best regards
>>
>> Lukas
>>
>> -------- Forwarded Message --------
>> Subject: ?? ?[DAViCal-devel] davical_1.1.5-1+deb9u1_amd64.changes
>> ACCEPTED into oldstable-proposed-updates->oldstable-new
>> Date: ?? ?Fri, 13 Dec 2019 19:49:09 +0000
>> From: ?? ?Debian FTP Masters <ftpmaster@ftp-master.debian.org>
>> To: ?? ?Florian Schlichting <fsfs@debian.org>, Davical Development Team
>> <davical-devel@lists.sourceforge.net>
>>
>>
>>
>> Mapping oldstable-security to oldstable-proposed-updates.
>>
>> Accepted:
>>
>> Format: 1.8
>> Date: Fri, 13 Dec 2019 07:59:08 +0800
>> Source: davical
>> Binary: davical davical-doc
>> Architecture: source all
>> Version: 1.1.5-1+deb9u1
>> Distribution: stretch-security
>> Urgency: high
>> Maintainer: Davical Development Team <davical-devel@lists.sourceforge.net>
>> Changed-By: Florian Schlichting <fsfs@debian.org>
>> Description:
>> davical - PHP CalDAV and CardDAV Server
>> davical-doc - PHP CalDAV and CardDAV Server - technical documentation
>> Closes: 946343
>> Changes:
>> davical (1.1.5-1+deb9u1) stretch-security; urgency=high
>> .
>> * Fix three cross-site scripting and cross-site request forgery
>> vulnerabilities in the web administration front-end:
>> CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 (closes: #946343)
>> Checksums-Sha1:
>> be8a9a6d998bb06a42d7a64439a1fd844e4d00f0 2104 davical_1.1.5-1+deb9u1.dsc
>> 357706817c857d8ab8216254a5458e1535d775b1 1319316 davical_1.1.5.orig.tar.xz
>> d291ad9deca7786db586a3c9e37cc56605c1833a 15760
>> davical_1.1.5-1+deb9u1.debian.tar.xz
>> 24ea22b1adf867e4d0016c012ea20e5da489c50f 1172980
>> davical-doc_1.1.5-1+deb9u1_all.deb
>> 9e5d917669ec4eff23cf0afeceb937afe9be697f 393140
>> davical_1.1.5-1+deb9u1_all.deb
>> a8b82d80168986cc7a237c6e99de96c14057d4da 8046
>> davical_1.1.5-1+deb9u1_amd64.buildinfo
>> Checksums-Sha256:
>> 1ad235ab2b326dd44cc4c9ffef7cc58c369b2caecb61428938d1f272ce6a61f0 2104
>> davical_1.1.5-1+deb9u1.dsc
>> 667583fb345612b8c9bd67ebfc1ef5e154fb5494a75d67ec347842c1257f238f 1319316
>> davical_1.1.5.orig.tar.xz
>> 306ddbc596e0b34db22d7d7c611fba480aaadd773f802345dd4d2e907f665f2f 15760
>> davical_1.1.5-1+deb9u1.debian.tar.xz
>> b2eee935f9407ef367c9352e306e8276ae40768eaf55009dcd06adc530832044 1172980
>> davical-doc_1.1.5-1+deb9u1_all.deb
>> 9d3db83e7c6cc21e73c105e24cb1d5aac4c940035894cde83034dee50eaa6401 393140
>> davical_1.1.5-1+deb9u1_all.deb
>> 1bd167b1419ddc8282750a66ef478bd9f7d314ae2dc86899fec062a71f9ef402 8046
>> davical_1.1.5-1+deb9u1_amd64.buildinfo
>> Files:
>> 7eae266d4189c9b79d3f60d625a8319a 2104 web extra davical_1.1.5-1+deb9u1.dsc
>> 7ad2418159cb205457db16326116bef0 1319316 web extra davical_1.1.5.orig.tar.xz
>> 8920076f8954785ed07d42d81637b78b 15760 web extra
>> davical_1.1.5-1+deb9u1.debian.tar.xz
>> 44a25310e4e0f83c51196e6b974a7820 1172980 doc extra
>> davical-doc_1.1.5-1+deb9u1_all.deb
>> 76c688d0addb3cfea69cd4bcc8019890 393140 web extra
>> davical_1.1.5-1+deb9u1_all.deb
>> 11cb1b5108ed76f8c9d3a56821965990 8046 web extra
>> davical_1.1.5-1+deb9u1_amd64.buildinfo
>>
>>
>>
>> Thank you for your contribution to Debian.
>>
>>
>> _______________________________________________
>> DAViCal-devel mailing list
>> DAViCal-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/davical-devel
>>
>
>> _______________________________________________
>> Davical-general mailing list
>> Davical-general@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/davical-general
> Mit freundlichen Gr??en
> Florian Schlichting
>


_______________________________________________
Davical-general mailing list
Davical-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/davical-general