From owner-svn-ports-all@FreeBSD.ORG Thu Jul 26 17:46:52 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id CFE59106566B; Thu, 26 Jul 2012 17:46:52 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id B9DDD8FC0A; Thu, 26 Jul 2012 17:46:52 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q6QHkqTd009574; Thu, 26 Jul 2012 17:46:52 GMT (envelope-from matthew@svn.freebsd.org) Received: (from matthew@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q6QHkqWw009570; Thu, 26 Jul 2012 17:46:52 GMT (envelope-from matthew@svn.freebsd.org) Message-Id: <201207261746.q6QHkqWw009570@svn.freebsd.org> From: Matthew Seaman Date: Thu, 26 Jul 2012 17:46:52 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r301571 - in head: security/vuxml www/p5-RT-Authen-ExternalAuth X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jul 2012 17:46:52 -0000 Author: matthew Date: Thu Jul 26 17:46:51 2012 New Revision: 301571 URL: http://svn.freebsd.org/changeset/ports/301571 Log: Security update to 0.11 ChangeLog: 0.11 2012-07-03 Alex Vandiver * Obfuscate passwords in RT's System Configuration page * Set an empty CurrentUser on failure, instead of removing it entirely 0.10_01 2012-02-23 Thomas Sibley * Escape usernames in filter values so special characters don't die 0.10 2012-02-17 Thomas Sibley * Silence confusing log messages when $ExternalInfoPriority is empty 0.09_03 2012-01-27 Thomas Sibley * Fetch the necessary attributes when group_attr_value is used * Test escaping of commas during the group check 0.09_02 2012-01-26 Thomas Sibley * Improved logging inside the LDAP group membership check 0.09_01 2012-01-23 Thomas Sibley * Improved logic when dealing with Disabled/disabling users * Configurable group membership attribute values * Group membership tests Security Advisory: http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html Approved by: shaun (mentor) Security: cdc4ff0e-d736-11e1-8221-e0cb4e266481 Modified: head/security/vuxml/vuln.xml head/www/p5-RT-Authen-ExternalAuth/Makefile (contents, props changed) head/www/p5-RT-Authen-ExternalAuth/distinfo (contents, props changed) Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jul 26 17:43:34 2012 (r301570) +++ head/security/vuxml/vuln.xml Thu Jul 26 17:46:51 2012 (r301571) @@ -52,6 +52,39 @@ Note: Please add new entries to the beg --> + + p5-RT-Authen-ExternalAuth -- privilege escalation + + + p5-RT-Authen-ExternalAuth + 0.11 + + + + +

The RT development team reports:

+
RT::Authen::ExternalAuth 0.10 and below (for all versions + of RT) are vulnerable to an escalation of privilege attack + where the URL of a RSS feed of the user can be used to + acquire a fully logged-in session as that user. + CVE-2012-2770 has been assigned to this vulnerability.
+
Users of RT 3.8.2 and above should upgrade to + RT::Authen::ExternalAuth 0.11, which resolves this + vulnerability.
+

+ + + + http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html + CVE-2012-2770 + + + 2012-07-25 + 2012-07-26 + + + isc-dhcp -- multiple vulnerabilities Modified: head/www/p5-RT-Authen-ExternalAuth/Makefile ============================================================================== --- head/www/p5-RT-Authen-ExternalAuth/Makefile Thu Jul 26 17:43:34 2012 (r301570) +++ head/www/p5-RT-Authen-ExternalAuth/Makefile Thu Jul 26 17:46:51 2012 (r301571) @@ -6,8 +6,7 @@ # PORTNAME= RT-Authen-ExternalAuth -DISTVERSION= 0.09 -PORTREVISION= 2 +DISTVERSION= 0.11 CATEGORIES= www net perl5 MASTER_SITES= CPAN MASTER_SITE_SUBDIR= CPAN:FALCONE Modified: head/www/p5-RT-Authen-ExternalAuth/distinfo ============================================================================== --- head/www/p5-RT-Authen-ExternalAuth/distinfo Thu Jul 26 17:43:34 2012 (r301570) +++ head/www/p5-RT-Authen-ExternalAuth/distinfo Thu Jul 26 17:46:51 2012 (r301571) @@ -1,2 +1,2 @@ -SHA256 (RT-Authen-ExternalAuth-0.09.tar.gz) = 4b2fd506f55c69b126c191c330f4bdd89ccec364077e1fd035610d19f38319bc -SIZE (RT-Authen-ExternalAuth-0.09.tar.gz) = 56056 +SHA256 (RT-Authen-ExternalAuth-0.11.tar.gz) = 42859c5d5bdf7b95f9f408ab70f8589a1c2c3c2cdd53d9d405658f4d08fd549e +SIZE (RT-Authen-ExternalAuth-0.11.tar.gz) = 62805