From owner-cvs-all@FreeBSD.ORG  Mon Apr  2 21:16:54 2012
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 7AD781065676
	for <cvs-all@freebsd.org>; Mon,  2 Apr 2012 21:16:54 +0000 (UTC)
	(envelope-from jumper99@gmx.de)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23])
	by mx1.freebsd.org (Postfix) with SMTP id BA00D8FC1B
	for <cvs-all@freebsd.org>; Mon,  2 Apr 2012 21:16:53 +0000 (UTC)
Received: (qmail invoked by alias); 02 Apr 2012 21:16:52 -0000
Received: from p4FC55E48.dip.t-dialin.net (EHLO HERMES) [79.197.94.72]
	by mail.gmx.net (mp031) with SMTP; 02 Apr 2012 23:16:52 +0200
X-Authenticated: #682707
X-Provags-ID: V01U2FsdGVkX1+g2a9K84qg3YN1H+EVjZvMVBrT7cUv4oC2NhTlrp
	YZqoGRbLqPXgtx
Message-ID: <D649B5AEC45D47BB9A9C82E3CC7584D6@charlieroot.de>
From: "Helmut Schneider" <jumper99@gmx.de>
To: "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>,
	"Jason Helfman" <jgh@FreeBSD.org>
References: <201203291821.q2TILLmU032333@repoman.freebsd.org>
	<CAMuy=+grs_W9Gvck0reDsb5arYGg3N6Az23=WxzoTGxMsQdSnw@mail.gmail.com>
	<4F755BBF.7020607@yandex.ru>
In-Reply-To: <4F755BBF.7020607@yandex.ru>
Date: Mon, 2 Apr 2012 23:16:51 +0200
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=response
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8117.416
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416
X-Y-GMX-Trusted: 0
Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, ports-committers@freebsd.org
Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the entire tree
	<cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2012 21:16:54 -0000

Does this look reasonable?

  <vuln vid="cf36b6a1-7d08-11e1-b720-000c2994762c">
    <topic>Typo3 - Cross-Site Scripting, Information Disclosure, Insecure 
Unserialize</topic>
    <affects>
      <package>
        <name>typo3</name>
        <range><ge>4.6</ge><le>4.6.6</le></range>
      </package>
      <package>
        <name>typo345</name>
        <range><ge>4.5</ge><le>4.5.13</le></range>
      </package>
      <package>
        <name>typo344</name>
        <range><ge>4.4</ge><le>4.4.13</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>The typo3 security team reports:</p>
        <blockquote 
cite="https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/">
          <p>Due to a missing signature (HMAC) for a request argument, an 
attacker could unserialize arbitrary objects within TYPO3.</p>
          <p>Failing to properly HTML-encode user input in several places, 
the TYPO3 backend is susceptible to Cross-Site Scripting. A valid backend 
user is required to exploit these vulnerabilities.</p>
          <p>Accessing a CLI Script directly with a browser may disclose the 
database name used for the TYPO3 installation.</p>
          <p>By not removing non printable characters, the API method 
t3lib_div::RemoveXSS() fails to filter specially crafted HTML injections, 
thus is susceptible to Cross-Site Scripting.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2012-1605</cvename>
      <cvename>CVE-2012-1606</cvename>
      <cvename>CVE-2012-1607</cvename>
      <cvename>CVE-2012-1608</cvename>
      <url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/</url>
    </references>
    <dates>
      <discovery>2012-03-28</discovery>
    </dates>
  </vuln>


--------------------------------------------------
From: "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>
Sent: Friday, March 30, 2012 9:07 AM
To: "Jason Helfman" <jgh@FreeBSD.org>
Cc: <ports-committers@freebsd.org>; <cvs-ports@freebsd.org>; 
<cvs-all@freebsd.org>; "Helmut Schneider" <jumper99@gmx.de>
Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr

> Jason Helfman wrote on 30.03.2012 10:30:
>> On Thu, Mar 29, 2012 at 11:21 AM, Ruslan 
>> Mahmatkhanov<rm@freebsd.org>wrote:
>>
>>> rm          2012-03-29 18:21:21 UTC
>>>
>>>   FreeBSD ports repository
>>>
>>>   Modified files:
>>>     www/typo345          Makefile distinfo pkg-descr
>>>   Log:
>>>   - update to 4.5.14
>>>
>>>   See
>>> https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-sa-2012-001/
>>>
>>>   PR:             166467 
>>> http://www.FreeBSD.org/cgi/query-pr.cgi?pr=166467
>>>   Submitted by:   Helmut Schneider<jumper99 at gmx dot de>  (maintainer)
>>>   Feature safe:   yes
>>>
>>>   Revision  Changes    Path
>>>   1.60      +1 -1      ports/www/typo345/Makefile
>>>   1.42      +4 -4      ports/www/typo345/distinfo
>>>   1.7       +1 -1      ports/www/typo345/pkg-descr
>>>
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/Makefile.diff?&r1=1.59&r2=1.60&f=h
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/distinfo.diff?&r1=1.41&r2=1.42&f=h
>>>
>>> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/pkg-descr.diff?&r1=1.6&r2=1.7&f=h
>>>
>>>
>> Are there any plans to document these updates in vuxml?
>>
>> -jgh
>>
>
> No, I haven't. Helmut, would you?
>
> -- 
> Regards,
> Ruslan
>
> Tinderboxing kills... the drives.
>