From owner-svn-ports-head@FreeBSD.ORG Wed Aug 15 19:45:51 2012 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AA5EF106566C; Wed, 15 Aug 2012 19:45:51 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 8BC728FC14; Wed, 15 Aug 2012 19:45:51 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q7FJjpE3003027; Wed, 15 Aug 2012 19:45:51 GMT (envelope-from bdrewery@svn.freebsd.org) Received: (from bdrewery@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q7FJjoEV003014; Wed, 15 Aug 2012 19:45:50 GMT (envelope-from bdrewery@svn.freebsd.org) Message-Id: <201208151945.q7FJjoEV003014@svn.freebsd.org> From: Bryan Drewery Date: Wed, 15 Aug 2012 19:45:50 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r302596 - in head: security/vuxml www/typo3 www/typo345 www/typo346 X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2012 19:45:51 -0000 Author: bdrewery Date: Wed Aug 15 19:45:50 2012 New Revision: 302596 URL: http://svn.freebsd.org/changeset/ports/302596 Log: - Update www/typo3 to 4.7.4 [1] - Convert to new options framework [1] - Update www/typo345 to 4.5.19 [2] - Update www/typo346 to 4.6.12 [3] - Changes: https://typo3.org/news/article/typo3-4519-4612-and-474-released/ - Document security vulnerabilities [4] https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/ PR: ports/170650 [1] PR: ports/170647 [2] PR: ports/170649 [3] Submitted by: Helmut Schneider (maintainer) Security: 48bcb4b2-e708-11e1-a59d-000d601460a4 [4] Approved by: eadler (mentor) Modified: head/security/vuxml/vuln.xml head/www/typo3/Makefile head/www/typo3/distinfo head/www/typo3/pkg-descr head/www/typo3/pkg-plist head/www/typo345/Makefile head/www/typo345/distinfo head/www/typo345/pkg-plist head/www/typo346/Makefile head/www/typo346/distinfo head/www/typo346/pkg-plist Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Aug 15 19:44:22 2012 (r302595) +++ head/security/vuxml/vuln.xml Wed Aug 15 19:45:50 2012 (r302596) @@ -52,6 +52,56 @@ Note: Please add new entries to the beg --> + + typo3 -- Multiple vulernabilities in TYPO3 Core + + + typo3 + 4.5.04.5.19 + 4.6.04.6.12 + 4.7.04.7.4 + + + + +

Typo Security Team reports:

+
It has been discovered that TYPO3 Core is vulnerable to Cross-Site + Scripting, Information Disclosure, Insecure Unserialize leading to + Arbitrary Code Execution.
+
TYPO3 Backend Help System - Due to a missing signature (HMAC) for a + parameter in the view_help.php file, an attacker could unserialize + arbitrary objects within TYPO3. We are aware of a working exploit, + which can lead to arbitrary code execution. A valid backend user + login or multiple successful cross site request forgery attacks are + required to exploit this vulnerability.
+
TYPO3 Backend - Failing to properly HTML-encode user input in + several places, the TYPO3 backend is susceptible to Cross-Site + Scripting. A valid backend user is required to exploit these + vulnerabilities.
+
TYPO3 Backend - Accessing the configuration module discloses the + Encryption Key. A valid backend user with access to the + configuration module is required to exploit this vulnerability.
+
TYPO3 HTML Sanitizing API - By not removing several HTML5 + JavaScript events, the API method t3lib_div::RemoveXSS() fails to + filter specially crafted HTML injections, thus is susceptible to + Cross-Site Scripting. Failing to properly encode for JavaScript the + API method t3lib_div::quoteJSvalue(), it is susceptible to Cross-Site + Scripting.
+
TYPO3 Install Tool - Failing to properly sanitize user input, the + Install Tool is susceptible to Cross-Site Scripting.
+

+ + + + https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-004/ + + + 2012-08-15 + 2012-08-15 + + + fetchmail -- two vulnerabilities in NTLM authentication Modified: head/www/typo3/Makefile ============================================================================== --- head/www/typo3/Makefile Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo3/Makefile Wed Aug 15 19:45:50 2012 (r302596) @@ -6,7 +6,7 @@ # PORTNAME= typo3 -PORTVERSION= 4.7.2 +PORTVERSION= 4.7.4 CATEGORIES= www MASTER_SITES= SF/${PORTNAME}/TYPO3%20Source%20and%20Dummy/TYPO3%20${PORTVERSION} @@ -31,31 +31,30 @@ PLIST_SUB+= PORTVERSION="${PORTVERSION}" DISTFILES+= ${TYPO3SRC}${EXTRACT_SUFX} ${TYPO3DUMMY}${EXTRACT_SUFX} -OPTIONS= CURL "Configure with cURL support" off \ - GD "Configure with GDlib/freetype support" off \ - IMAGICK "Configure with ImageMagick support" off \ - MBSTRING "Configure with mbstring support" off \ - ZLIB "Configure with zlib support" off +OPTIONS_DEFINE= CURL GD IMAGICK MBSTRING ZLIB +IMAGICK_DESC= ${IMAGEMAGICK_DESC} +MBSTRING_DESC= ${MULTIBYTE_DESC} +GD_DESC= GDlib/freetype support .include -.if defined(WITH_CURL) +.if ${PORT_OPTIONS:MCURL} USE_PHP+= curl .endif -.if defined(WITH_GD) +.if ${PORT_OPTIONS:MGD} USE_PHP+= gd .endif -.if defined(WITH_IMAGICK) +.if ${PORT_OPTIONS:MIMAGICK} RUN_DEPENDS+= ${LOCALBASE}/bin/convert:${PORTSDIR}/graphics/ImageMagick .endif -.if defined(WITH_MBSTRING) +.if ${PORT_OPTIONS:MMBSTRING} USE_PHP+= mbstring .endif -.if defined(WITH_ZLIB) +.if ${PORT_OPTIONS:MZLIB} USE_PHP+= zlib .endif Modified: head/www/typo3/distinfo ============================================================================== --- head/www/typo3/distinfo Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo3/distinfo Wed Aug 15 19:45:50 2012 (r302596) @@ -1,4 +1,4 @@ -SHA256 (typo3_src-4.7.2.tar.gz) = 43a3390b2580f7c74819377441b669d3d2d0a62c686036224e073b7b1db90ee9 -SIZE (typo3_src-4.7.2.tar.gz) = 22374815 -SHA256 (dummy-4.7.2.tar.gz) = 693a2c30325aa1697f5f3bb905caf755fcf6db4718008635af1461ccea56761c -SIZE (dummy-4.7.2.tar.gz) = 10148 +SHA256 (typo3_src-4.7.4.tar.gz) = f770f8ae7cbb1b2a70547d9dcc53b6e2372467940884b3e0701b1c221682193d +SIZE (typo3_src-4.7.4.tar.gz) = 22375813 +SHA256 (dummy-4.7.4.tar.gz) = 21e17c67783a9e91ad39a011604fd61ceb946627e835943d32609f4a4393ba4b +SIZE (dummy-4.7.4.tar.gz) = 10139 Modified: head/www/typo3/pkg-descr ============================================================================== --- head/www/typo3/pkg-descr Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo3/pkg-descr Wed Aug 15 19:45:50 2012 (r302596) @@ -3,7 +3,7 @@ on the web and in intranets. It offers f featuring an accomplished set of ready-made interfaces, functions and modules. This version is the current stable release. It is recommended for existing -projects and will get full support (bugfixes and security fixes) until April 2013, -but will get security fixes until October 2013. +projects and will get full support (bugfixes and security fixes) until April +2013, but will get security fixes until October 2013. WWW: http://typo3.org/ Modified: head/www/typo3/pkg-plist ============================================================================== --- head/www/typo3/pkg-plist Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo3/pkg-plist Wed Aug 15 19:45:50 2012 (r302596) @@ -20,7 +20,6 @@ %%WWWDIR%%/uploads/media/index.html %%WWWDIR%%/uploads/pics/index.html %%WWWDIR%%/uploads/tf/index.html -%%WWWDIR%%_src-%%PORTVERSION%%/.travis.yml %%WWWDIR%%_src-%%PORTVERSION%%/ChangeLog %%WWWDIR%%_src-%%PORTVERSION%%/GPL.txt %%WWWDIR%%_src-%%PORTVERSION%%/INSTALL.txt @@ -136,6 +135,7 @@ %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_userauth.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_userauthgroup.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_xml.php +%%WWWDIR%%_src-%%PORTVERSION%%/t3lib/codec/class.t3lib_codec_javascriptencoder.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/collection/AbstractRecordCollection.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/collection/RecordCollectionRepository.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/collection/StaticRecordCollection.php @@ -9251,6 +9251,7 @@ @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/collection/interfaces @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/collection +@dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/codec @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/frontend/interfaces @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/frontend @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/exception Modified: head/www/typo345/Makefile ============================================================================== --- head/www/typo345/Makefile Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo345/Makefile Wed Aug 15 19:45:50 2012 (r302596) @@ -6,7 +6,7 @@ # PORTNAME= typo3 -PORTVERSION= 4.5.18 +PORTVERSION= 4.5.19 CATEGORIES= www MASTER_SITES= SF/${PORTNAME}/TYPO3%20Source%20and%20Dummy/TYPO3%20${PORTVERSION} Modified: head/www/typo345/distinfo ============================================================================== --- head/www/typo345/distinfo Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo345/distinfo Wed Aug 15 19:45:50 2012 (r302596) @@ -1,4 +1,4 @@ -SHA256 (typo3_src-4.5.18.tar.gz) = 68da30e14124c697c070046b14886ec64ecd38b8b17895a122e1a5f45e516fa2 -SIZE (typo3_src-4.5.18.tar.gz) = 20559614 -SHA256 (dummy-4.5.18.tar.gz) = 9a88878e802ff1b743152cc0f79ed038e769c2436784266725e02d848a07f18d -SIZE (dummy-4.5.18.tar.gz) = 9858 +SHA256 (typo3_src-4.5.19.tar.gz) = 9a70d9e8980acdd5745c7b141d92ff9f680e360905befd484b51e07d13e3a0ba +SIZE (typo3_src-4.5.19.tar.gz) = 20560147 +SHA256 (dummy-4.5.19.tar.gz) = 9ed92532a2827e0d3503683e076b3cef90fe89ff1010a4a0b70a9a172c54bafb +SIZE (dummy-4.5.19.tar.gz) = 9858 Modified: head/www/typo345/pkg-plist ============================================================================== --- head/www/typo345/pkg-plist Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo345/pkg-plist Wed Aug 15 19:45:50 2012 (r302596) @@ -136,6 +136,7 @@ %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_userauth.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_userauthgroup.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_xml.php +%%WWWDIR%%_src-%%PORTVERSION%%/t3lib/codec/class.t3lib_codec_javascriptencoder.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/config_default.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/class.t3lib_contextmenu_abstractcontextmenu.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/class.t3lib_contextmenu_abstractdataprovider.php @@ -8300,6 +8301,7 @@ @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/pagetree @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/extdirect @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu +@dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/codec @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/frontend/interfaces @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/frontend @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/exception Modified: head/www/typo346/Makefile ============================================================================== --- head/www/typo346/Makefile Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo346/Makefile Wed Aug 15 19:45:50 2012 (r302596) @@ -6,7 +6,7 @@ # PORTNAME= typo3 -PORTVERSION= 4.6.11 +PORTVERSION= 4.6.12 CATEGORIES= www MASTER_SITES= SF/${PORTNAME}/TYPO3%20Source%20and%20Dummy/TYPO3%20${PORTVERSION} Modified: head/www/typo346/distinfo ============================================================================== --- head/www/typo346/distinfo Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo346/distinfo Wed Aug 15 19:45:50 2012 (r302596) @@ -1,4 +1,4 @@ -SHA256 (typo3_src-4.6.11.tar.gz) = 62acbc0876c2cbf452c435a5a09e11b60b3ea8d724a455f92d2caea07bb2ff89 -SIZE (typo3_src-4.6.11.tar.gz) = 21289682 -SHA256 (dummy-4.6.11.tar.gz) = 87e711ba875c3f9c90d730ff6a5c14b5c05bf2da06de46b0fe98090d04e9bdc2 -SIZE (dummy-4.6.11.tar.gz) = 10138 +SHA256 (typo3_src-4.6.12.tar.gz) = 99ba9550ed74b1c9185fda8bcaf17da3a7b433fd62608afcb24c21a7f25df8b8 +SIZE (typo3_src-4.6.12.tar.gz) = 21288826 +SHA256 (dummy-4.6.12.tar.gz) = cfa9a8a1b4fad18d27fc0a88b0e2e165b2d4d4cf5eada2343819f9621a77f508 +SIZE (dummy-4.6.12.tar.gz) = 10143 Modified: head/www/typo346/pkg-plist ============================================================================== --- head/www/typo346/pkg-plist Wed Aug 15 19:44:22 2012 (r302595) +++ head/www/typo346/pkg-plist Wed Aug 15 19:45:50 2012 (r302596) @@ -136,6 +136,7 @@ %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_userauth.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_userauthgroup.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/class.t3lib_xml.php +%%WWWDIR%%_src-%%PORTVERSION%%/t3lib/codec/class.t3lib_codec_javascriptencoder.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/config_default.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/class.t3lib_contextmenu_abstractcontextmenu.php %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/class.t3lib_contextmenu_abstractdataprovider.php @@ -8994,6 +8995,7 @@ @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/pagetree @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu/extdirect @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/contextmenu +@dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/codec @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/frontend/interfaces @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/frontend @dirrm %%WWWDIR%%_src-%%PORTVERSION%%/t3lib/cache/exception