Date: Thu, 26 Jul 2012 17:46:52 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r301571 - in head: security/vuxml www/p5-RT-Authen-ExternalAuth Message-ID: <201207261746.q6QHkqWw009570@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Thu Jul 26 17:46:51 2012 New Revision: 301571 URL: http://svn.freebsd.org/changeset/ports/301571 Log: Security update to 0.11 ChangeLog: 0.11 2012-07-03 Alex Vandiver * Obfuscate passwords in RT's System Configuration page * Set an empty CurrentUser on failure, instead of removing it entirely 0.10_01 2012-02-23 Thomas Sibley * Escape usernames in filter values so special characters don't die 0.10 2012-02-17 Thomas Sibley * Silence confusing log messages when $ExternalInfoPriority is empty 0.09_03 2012-01-27 Thomas Sibley * Fetch the necessary attributes when group_attr_value is used * Test escaping of commas during the group check 0.09_02 2012-01-26 Thomas Sibley * Improved logging inside the LDAP group membership check 0.09_01 2012-01-23 Thomas Sibley * Improved logic when dealing with Disabled/disabling users * Configurable group membership attribute values * Group membership tests Security Advisory: http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html Approved by: shaun (mentor) Security: cdc4ff0e-d736-11e1-8221-e0cb4e266481 Modified: head/security/vuxml/vuln.xml head/www/p5-RT-Authen-ExternalAuth/Makefile (contents, props changed) head/www/p5-RT-Authen-ExternalAuth/distinfo (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jul 26 17:43:34 2012 (r301570) +++ head/security/vuxml/vuln.xml Thu Jul 26 17:46:51 2012 (r301571) @@ -52,6 +52,39 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="cdc4ff0e-d736-11e1-8221-e0cb4e266481"> + <topic>p5-RT-Authen-ExternalAuth -- privilege escalation</topic> + <affects> + <package> + <name>p5-RT-Authen-ExternalAuth</name> + <range><lt>0.11</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The RT development team reports:</p> + <blockquote cite="http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html">; + <p>RT::Authen::ExternalAuth 0.10 and below (for all versions + of RT) are vulnerable to an escalation of privilege attack + where the URL of a RSS feed of the user can be used to + acquire a fully logged-in session as that user. + CVE-2012-2770 has been assigned to this vulnerability.</p> + <p>Users of RT 3.8.2 and above should upgrade to + RT::Authen::ExternalAuth 0.11, which resolves this + vulnerability.</p> + </blockquote> + </body> + </description> + <references> + <url>http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html</url>; + <cvename>CVE-2012-2770</cvename> + </references> + <dates> + <discovery>2012-07-25</discovery> + <entry>2012-07-26</entry> + </dates> + </vuln> + <vuln vid="c7fa3618-d5ff-11e1-90a2-000c299b62e1"> <topic>isc-dhcp -- multiple vulnerabilities</topic> <affects> Modified: head/www/p5-RT-Authen-ExternalAuth/Makefile ============================================================================== --- head/www/p5-RT-Authen-ExternalAuth/Makefile Thu Jul 26 17:43:34 2012 (r301570) +++ head/www/p5-RT-Authen-ExternalAuth/Makefile Thu Jul 26 17:46:51 2012 (r301571) @@ -6,8 +6,7 @@ # PORTNAME= RT-Authen-ExternalAuth -DISTVERSION= 0.09 -PORTREVISION= 2 +DISTVERSION= 0.11 CATEGORIES= www net perl5 MASTER_SITES= CPAN MASTER_SITE_SUBDIR= CPAN:FALCONE Modified: head/www/p5-RT-Authen-ExternalAuth/distinfo ============================================================================== --- head/www/p5-RT-Authen-ExternalAuth/distinfo Thu Jul 26 17:43:34 2012 (r301570) +++ head/www/p5-RT-Authen-ExternalAuth/distinfo Thu Jul 26 17:46:51 2012 (r301571) @@ -1,2 +1,2 @@ -SHA256 (RT-Authen-ExternalAuth-0.09.tar.gz) = 4b2fd506f55c69b126c191c330f4bdd89ccec364077e1fd035610d19f38319bc -SIZE (RT-Authen-ExternalAuth-0.09.tar.gz) = 56056 +SHA256 (RT-Authen-ExternalAuth-0.11.tar.gz) = 42859c5d5bdf7b95f9f408ab70f8589a1c2c3c2cdd53d9d405658f4d08fd549e +SIZE (RT-Authen-ExternalAuth-0.11.tar.gz) = 62805
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207261746.q6QHkqWw009570>