Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Jul 2012 17:46:52 +0000 (UTC)
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r301571 - in head: security/vuxml www/p5-RT-Authen-ExternalAuth
Message-ID:  <201207261746.q6QHkqWw009570@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: matthew
Date: Thu Jul 26 17:46:51 2012
New Revision: 301571
URL: http://svn.freebsd.org/changeset/ports/301571

Log:
  Security update to 0.11
  
  ChangeLog:
  
  0.11    2012-07-03  Alex Vandiver
  	* Obfuscate passwords in RT's System Configuration page
  	* Set an empty CurrentUser on failure, instead of removing it entirely
  
  0.10_01 2012-02-23  Thomas Sibley
  	* Escape usernames in filter values so special characters don't die
  
  0.10 2012-02-17  Thomas Sibley
       * Silence confusing log messages when $ExternalInfoPriority is empty
  
  0.09_03 2012-01-27	 Thomas Sibley
  	* Fetch the necessary attributes when group_attr_value is used
  	* Test escaping of commas during the group check
  
  0.09_02 2012-01-26	Thomas Sibley
  	* Improved logging inside the LDAP group membership check
  
  0.09_01 2012-01-23 Thomas Sibley
  	* Improved logic when dealing with Disabled/disabling users
  	* Configurable group membership attribute values
  	* Group membership tests
  
  Security Advisory:
  
      http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html
  
  Approved by:	shaun (mentor)
  Security:	cdc4ff0e-d736-11e1-8221-e0cb4e266481

Modified:
  head/security/vuxml/vuln.xml
  head/www/p5-RT-Authen-ExternalAuth/Makefile   (contents, props changed)
  head/www/p5-RT-Authen-ExternalAuth/distinfo   (contents, props changed)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Jul 26 17:43:34 2012	(r301570)
+++ head/security/vuxml/vuln.xml	Thu Jul 26 17:46:51 2012	(r301571)
@@ -52,6 +52,39 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="cdc4ff0e-d736-11e1-8221-e0cb4e266481">
+    <topic>p5-RT-Authen-ExternalAuth -- privilege escalation</topic>
+    <affects>
+      <package>
+	<name>p5-RT-Authen-ExternalAuth</name>
+	<range><lt>0.11</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The RT development team reports:</p>
+	<blockquote cite="http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html">;
+	  <p>RT::Authen::ExternalAuth 0.10 and below (for all versions
+	  of RT) are vulnerable to an escalation of privilege attack
+	  where the URL of a RSS feed of the user can be used to
+	  acquire a fully logged-in session as that user.
+	  CVE-2012-2770 has been assigned to this vulnerability.</p>
+	  <p>Users of RT 3.8.2 and above should upgrade to
+	  RT::Authen::ExternalAuth 0.11, which resolves this
+	  vulnerability.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html</url>;
+      <cvename>CVE-2012-2770</cvename>
+    </references>
+    <dates>
+      <discovery>2012-07-25</discovery>
+      <entry>2012-07-26</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="c7fa3618-d5ff-11e1-90a2-000c299b62e1">
     <topic>isc-dhcp -- multiple vulnerabilities</topic>
     <affects>

Modified: head/www/p5-RT-Authen-ExternalAuth/Makefile
==============================================================================
--- head/www/p5-RT-Authen-ExternalAuth/Makefile	Thu Jul 26 17:43:34 2012	(r301570)
+++ head/www/p5-RT-Authen-ExternalAuth/Makefile	Thu Jul 26 17:46:51 2012	(r301571)
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	RT-Authen-ExternalAuth
-DISTVERSION=	0.09
-PORTREVISION=	2
+DISTVERSION=	0.11
 CATEGORIES=	www net perl5
 MASTER_SITES=	CPAN
 MASTER_SITE_SUBDIR=	CPAN:FALCONE

Modified: head/www/p5-RT-Authen-ExternalAuth/distinfo
==============================================================================
--- head/www/p5-RT-Authen-ExternalAuth/distinfo	Thu Jul 26 17:43:34 2012	(r301570)
+++ head/www/p5-RT-Authen-ExternalAuth/distinfo	Thu Jul 26 17:46:51 2012	(r301571)
@@ -1,2 +1,2 @@
-SHA256 (RT-Authen-ExternalAuth-0.09.tar.gz) = 4b2fd506f55c69b126c191c330f4bdd89ccec364077e1fd035610d19f38319bc
-SIZE (RT-Authen-ExternalAuth-0.09.tar.gz) = 56056
+SHA256 (RT-Authen-ExternalAuth-0.11.tar.gz) = 42859c5d5bdf7b95f9f408ab70f8589a1c2c3c2cdd53d9d405658f4d08fd549e
+SIZE (RT-Authen-ExternalAuth-0.11.tar.gz) = 62805



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207261746.q6QHkqWw009570>