Date: Thu, 1 Nov 2012 14:10:55 +0000 (UTC) From: Florian Smeets <flo@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r306803 - in head: security/vuxml www/rt38 Message-ID: <201211011410.qA1EAt7V007643@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: flo Date: Thu Nov 1 14:10:55 2012 New Revision: 306803 URL: http://svn.freebsd.org/changeset/ports/306803 Log: Update to 3.8.15 Security: 4b738d54-2427-11e2-9817-c8600054b392 Feature safe: yes Modified: head/security/vuxml/vuln.xml head/www/rt38/Makefile head/www/rt38/distinfo (contents, props changed) head/www/rt38/pkg-plist (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Nov 1 13:55:03 2012 (r306802) +++ head/security/vuxml/vuln.xml Thu Nov 1 14:10:55 2012 (r306803) @@ -51,6 +51,65 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="4b738d54-2427-11e2-9817-c8600054b392"> + <topic>RT -- Multiple Vulnerabilities</topic> + <affects> + <package> + <name>rt40</name> + <range><ge>4.0</ge><lt>4.0.8</lt></range> + </package> + <package> + <name>rt38</name> + <range><lt>3.8.15</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>BestPractical report:</p> + <blockquote cite="http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html">; + <p>All versions of RT are vulnerable to an email header injection + attack. Users with ModifySelf or AdminUser can cause RT to add + arbitrary headers or content to outgoing mail. Depending on the + scrips that are configured, this may be be leveraged for information + leakage or phishing.</p> + <p>RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability + due to lack of proper rights checking, allowing any privileged user + to create Articles in any class.</p> + <p>All versions of RT with cross-site-request forgery (CSRF) + protection (RT 3.8.12 and above, RT 4.0.6 and above, and any + instances running the security patches released 2012-05-22) contain + a vulnerability which incorrectly allows though CSRF requests which + toggle ticket bookmarks.</p> + <p>All versions of RT are vulnerable to a confused deputy attack on + the user. While not strictly a CSRF attack, users who are not logged + in who are tricked into following a malicious link may, after + supplying their credentials, be subject to an attack which leverages + their credentials to modify arbitrary state. While users who were + logged in would have observed the CSRF protection page, users who + were not logged in receive no such warning due to the intervening + login process. RT has been extended to notify users of pending + actions during the login process.</p> + <p>RT 3.8.0 and above are susceptible to a number of vulnerabilities + concerning improper signing or encryption of messages using GnuPG; + if GnuPG is not enabled, none of the following affect you.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-4730</cvename> + <cvename>CVE-2012-4731</cvename> + <cvename>CVE-2012-4732</cvename> + <cvename>CVE-2012-4734</cvename> + <cvename>CVE-2012-4735</cvename> + <cvename>CVE-2012-4884</cvename> + <url>http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html</url>; + </references> + <dates> + <discovery>2012-10-26</discovery> + <entry>2012-11-01</entry> + </dates> + </vuln> + <vuln vid="2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5"> <topic>drupal7 -- multiple vulnerabilities</topic> <affects> Modified: head/www/rt38/Makefile ============================================================================== --- head/www/rt38/Makefile Thu Nov 1 13:55:03 2012 (r306802) +++ head/www/rt38/Makefile Thu Nov 1 14:10:55 2012 (r306803) @@ -8,7 +8,7 @@ # o install a sample into etc/apache22/Includes PORTNAME= rt -PORTVERSION= 3.8.14 +PORTVERSION= 3.8.15 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \ ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/ Modified: head/www/rt38/distinfo ============================================================================== --- head/www/rt38/distinfo Thu Nov 1 13:55:03 2012 (r306802) +++ head/www/rt38/distinfo Thu Nov 1 14:10:55 2012 (r306803) @@ -1,2 +1,2 @@ -SHA256 (rt-3.8.14.tar.gz) = 59c892a08746cf83fdfdf0ef4584d929983e22b5f5d17980b7541ac028933509 -SIZE (rt-3.8.14.tar.gz) = 5593322 +SHA256 (rt-3.8.15.tar.gz) = fca1283189bd670fde7a041e99e85aa4a58e0e302bb1f3c7ddab2f4997b5da55 +SIZE (rt-3.8.15.tar.gz) = 5650409 Modified: head/www/rt38/pkg-plist ============================================================================== --- head/www/rt38/pkg-plist Thu Nov 1 13:55:03 2012 (r306802) +++ head/www/rt38/pkg-plist Thu Nov 1 14:10:55 2012 (r306803) @@ -463,6 +463,7 @@ share/rt38/html/Elements/HeaderJavascrip share/rt38/html/Elements/ListActions share/rt38/html/Elements/ListMenu share/rt38/html/Elements/Login +share/rt38/html/Elements/LoginRedirectWarning share/rt38/html/Elements/Logo share/rt38/html/Elements/Logout share/rt38/html/Elements/MakeClicky
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211011410.qA1EAt7V007643>