Date: Wed, 6 Jul 2005 09:01:55 +0800 (CST) From: chinsan <chinsan.tw@gmail.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: vanilla@FreeBSD.org Subject: ports/83042: [MAINTAINER UPDATE] www/b2evo: Fix for XML-RPC vulnerability Message-ID: <20050706010155.B72627301F@chinsan.twbbs.org> Resent-Message-ID: <200507060110.j661A4Ys055153@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 83042
>Category: ports
>Synopsis: [MAINTAINER UPDATE] www/b2evo: Fix for XML-RPC vulnerability
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 06 01:10:04 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: chinsan
>Release: FreeBSD 5.3-RELEASE i386
>Organization:
FreeBSD Taiwan
>Environment:
System: FreeBSD chinsan.twbbs.org 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC 2004 root@harlow.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
A critical security issue has been discovered in the XML-RPC for PHP
that most applications use, including b2evolution.
It is highly recommended to fix.
This should overwrite the two following files in /blogs/b2evocore/ folder:
* _functions_xmlrpc.php
* _functions_xmlrpcs.php
This patch has been tested on the latest 0.9.0.12 "Amsterdam" release
but is believed to work on all 0.9.0.x versions.
The patch will be included in future releases.
Ref:
http://b2evolution.net/news/2005/07/05/fix_for_xml_rpc_vulnerability
>How-To-Repeat:
http://b2evolution.net/news/2005/07/05/fix_for_xml_rpc_vulnerability
>Fix:
--- b2evo.patch begins here ---
diff -ruN b2evo.orig/Makefile b2evo/Makefile
--- b2evo.orig/Makefile Wed Jul 6 08:36:54 2005
+++ b2evo/Makefile Wed Jul 6 08:55:46 2005
@@ -7,11 +7,15 @@
PORTNAME= b2evolution
PORTVERSION= 0.9.0.12
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= evocms
-DISTNAME= ${PORTNAME}-${PORTVERSION}-${B2EVO_DATE}
+DISTNAME= ${PORTNAME}-${PORTVERSION}-${B2EVO_DATE} \
+ xmlrpc_fix_111
+EXTRACT_ONLY= ${PORTNAME}-${PORTVERSION}-${B2EVO_DATE}
+# Maintainership available: drop me a line if interested :p
MAINTAINER= chinsan.tw@gmail.com
COMMENT= A multilingual, multiuser, multi-blog engine
@@ -41,6 +45,10 @@
PLIST= ${WRKDIR}/pkg-plist
.include <bsd.port.pre.mk>
+
+post-extract:
+ cd ${WRKSRC}/blogs/b2evocore \
+ && ${EXTRACT_CMD} ${EXTRACT_BEFORE_ARGS} ${DISTDIR}/xmlrpc_fix_111${EXTRACT_SUFX}
pre-install:
cd ${WRKSRC} && ${FIND} -s . -type f | \
diff -ruN b2evo.orig/distinfo b2evo/distinfo
--- b2evo.orig/distinfo Wed Jul 6 08:36:54 2005
+++ b2evo/distinfo Wed Jul 6 08:54:36 2005
@@ -1,2 +1,4 @@
-MD5 (b2evolution-0.9.0.12-2005-05-06.zip) = 7f08250c3d08c2c55e75655fbffa2d98
-SIZE (b2evolution-0.9.0.12-2005-05-06.zip) = 2857939
+MD5 (b2evolution-0.9.0.12-2005-05-06) = 7f08250c3d08c2c55e75655fbffa2d98
+SIZE (b2evolution-0.9.0.12-2005-05-06) = 2857939
+MD5 (xmlrpc_fix_111.zip) = b57b76bc30d8cb4857fc66ea53f78344
+SIZE (xmlrpc_fix_111.zip) = 20432
--- b2evo.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050706010155.B72627301F>