Date: Thu, 23 May 2013 07:24:40 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r318848 - in head: security/vuxml www/rt38 www/rt40 Message-ID: <201305230724.r4N7Oeue086592@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Thu May 23 07:24:40 2013 New Revision: 318848 URL: http://svnweb.freebsd.org/changeset/ports/318848 Log: Security Updates - www/rt40 to 4.0.13 - www/rt38 to 3.8.17 [1] This is a security fix addressing a number of CVEs: CVE-2012-4733 CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374 Users will need to update their database schemas as described in pkg-message Approved by: flo [1] Security: 3a429192-c36a-11e2-97a9-6805ca0b3d42 Modified: head/security/vuxml/vuln.xml head/www/rt38/Makefile head/www/rt38/distinfo head/www/rt40/Makefile head/www/rt40/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu May 23 07:11:47 2013 (r318847) +++ head/security/vuxml/vuln.xml Thu May 23 07:24:40 2013 (r318848) @@ -51,6 +51,109 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="3a429192-c36a-11e2-97a9-6805ca0b3d42"> + <topic>RT -- multiple vulnerabilities</topic> + <affects> + <package> + <name>rt38</name> + <range><ge>3.8</ge><lt>3.8.17</lt></range> + </package> + <package> + <name>rt40</name> + <range><ge>4.0</ge><lt>4.0.13</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Thomas Sibley reports:</p> + <blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html"> + <p>We discovered a number of security vulnerabilities which + affect both RT 3.8.x and RT 4.0.x. We are releasing RT + versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, + as well as patches which apply atop all released versions of + 3.8 and 4.0.</p> + <p>The vulnerabilities addressed by 3.8.17, 4.0.13, and the + below patches include the following:</p> + <p>RT 4.0.0 and above are vulnerable to a limited privilege + escalation leading to unauthorized modification of ticket + data. The DeleteTicket right and any custom lifecycle + transition rights may be bypassed by any user with + ModifyTicket. This vulnerability is assigned + CVE-2012-4733.</p> + <p>RT 3.8.0 and above include a version of bin/rt that uses + semi-predictable names when creating tempfiles. This could + possibly be exploited by a malicious user to overwrite files + with permissions of the user running bin/rt. This + vulnerability is assigned CVE-2013-3368.</p> + <p>RT 3.8.0 and above allow calling of arbitrary Mason + components (without control of arguments) for users who can + see administration pages. This could be used by a malicious + user to run private components which may have negative + side-effects. This vulnerability is assigned + CVE-2013-3369.</p> + <p>RT 3.8.0 and above allow direct requests to private + callback components. Though no callback components ship + with RT, this could be used to exploit an extension or local + callback which uses the arguments passed to it insecurely. + This vulnerability is assigned CVE-2013-3370.</p> + <p>RT 3.8.3 and above are vulnerable to cross-site scripting + (XSS) via attachment filenames. The vector is difficult to + exploit due to parsing requirements. Additionally, RT 4.0.0 + and above are vulnerable to XSS via maliciously-crafted + "URLs" in ticket content when RT's "MakeClicky" feature is + configured. Although not believed to be exploitable in the + stock configuration, a patch is also included for RTIR 2.6.x + to add bulletproofing. These vulnerabilities are assigned + CVE-2013-3371.</p> + <p>RT 3.8.0 and above are vulnerable to an HTTP header + injection limited to the value of the Content-Disposition + header. Injection of other arbitrary response headers is + not possible. Some (especially older) browsers may allow + multiple Content-Disposition values which could lead to XSS. + Newer browsers contain security measures to prevent this. + Thank you to Dominic Hargreaves for reporting this + vulnerability. This vulnerability is assigned + CVE-2013-3372.</p> + <p>RT 3.8.0 and above are vulnerable to a MIME header + injection in outgoing email generated by RT. The vectors + via RT's stock templates are resolved by this patchset, but + any custom email templates should be updated to ensure that + values interpolated into mail headers do not contain + newlines. This vulnerability is assigned CVE-2013-3373.</p> + <p>RT 3.8.0 and above are vulnerable to limited session + re-use when using the file-based session store, + Apache::Session::File. RT's default session configuration + only uses Apache::Session::File for Oracle. RT instances + using Oracle may be locally configured to use the + database-backed Apache::Session::Oracle, in which case + sessions are never re-used. The extent of session re-use is + limited to information leaks of certain user preferences and + caches, such as queue names available for ticket creation. + Thank you to Jenny Martin for reporting the problem that + lead to discovery of this vulnerability. This vulnerability + is assigned CVE-2013-3374.</p> + </blockquote> + </body> + </description> + <references> + <url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html</url> + <url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html</url> + <url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html</url> + <cvename>CVE-2012-4733</cvename> + <cvename>CVE-2013-3368</cvename> + <cvename>CVE-2013-3369</cvename> + <cvename>CVE-2013-3370</cvename> + <cvename>CVE-2013-3371</cvename> + <cvename>CVE-2013-3372</cvename> + <cvename>CVE-2013-3373</cvename> + <cvename>CVE-2013-3374</cvename> + </references> + <dates> + <discovery>2013-05-22</discovery> + <entry>2013-05-23</entry> + </dates> + </vuln> + <vuln vid="358133b5-c2b9-11e2-a738-00262d5ed8ee"> <topic>chromium -- multiple vulnerabilities</topic> <affects> Modified: head/www/rt38/Makefile ============================================================================== --- head/www/rt38/Makefile Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt38/Makefile Thu May 23 07:24:40 2013 (r318848) @@ -8,7 +8,7 @@ # o install a sample into etc/apache22/Includes PORTNAME= rt -PORTVERSION= 3.8.16 +PORTVERSION= 3.8.17 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \ ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/ Modified: head/www/rt38/distinfo ============================================================================== --- head/www/rt38/distinfo Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt38/distinfo Thu May 23 07:24:40 2013 (r318848) @@ -1,2 +1,2 @@ -SHA256 (rt-3.8.16.tar.gz) = 8a0bdb9fc2938ffe21111127d5777ef5d3107195c2597cb35c5c0a44dc4ca045 -SIZE (rt-3.8.16.tar.gz) = 5650272 +SHA256 (rt-3.8.17.tar.gz) = d9cd8b239712f25d38619791ab9f8d60c57f001cc0df2caeb2ccb7ad9f8a4acd +SIZE (rt-3.8.17.tar.gz) = 5728368 Modified: head/www/rt40/Makefile ============================================================================== --- head/www/rt40/Makefile Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt40/Makefile Thu May 23 07:24:40 2013 (r318848) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= rt -PORTVERSION= 4.0.12 +PORTVERSION= 4.0.13 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \ ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/ Modified: head/www/rt40/distinfo ============================================================================== --- head/www/rt40/distinfo Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt40/distinfo Thu May 23 07:24:40 2013 (r318848) @@ -1,2 +1,2 @@ -SHA256 (rt-4.0.12.tar.gz) = ce246da3c5f03144d3070a2419ccc0756496501f143f343b52b96cb2adec09da -SIZE (rt-4.0.12.tar.gz) = 6895082 +SHA256 (rt-4.0.13.tar.gz) = b8c516e6b99a38476eb0e0d6336d11056e322a2143e01c96e42f4586a68bf999 +SIZE (rt-4.0.13.tar.gz) = 6895248
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305230724.r4N7Oeue086592>