From owner-svn-ports-all@FreeBSD.ORG Thu May 23 07:24:42 2013 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 07B90F12; Thu, 23 May 2013 07:24:42 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id DD42E9D3; Thu, 23 May 2013 07:24:41 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4N7Ofci086600; Thu, 23 May 2013 07:24:41 GMT (envelope-from matthew@svn.freebsd.org) Received: (from matthew@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4N7Oeue086592; Thu, 23 May 2013 07:24:40 GMT (envelope-from matthew@svn.freebsd.org) Message-Id: <201305230724.r4N7Oeue086592@svn.freebsd.org> From: Matthew Seaman Date: Thu, 23 May 2013 07:24:40 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r318848 - in head: security/vuxml www/rt38 www/rt40 X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 May 2013 07:24:42 -0000 Author: matthew Date: Thu May 23 07:24:40 2013 New Revision: 318848 URL: http://svnweb.freebsd.org/changeset/ports/318848 Log: Security Updates - www/rt40 to 4.0.13 - www/rt38 to 3.8.17 [1] This is a security fix addressing a number of CVEs: CVE-2012-4733 CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374 Users will need to update their database schemas as described in pkg-message Approved by: flo [1] Security: 3a429192-c36a-11e2-97a9-6805ca0b3d42 Modified: head/security/vuxml/vuln.xml head/www/rt38/Makefile head/www/rt38/distinfo head/www/rt40/Makefile head/www/rt40/distinfo Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu May 23 07:11:47 2013 (r318847) +++ head/security/vuxml/vuln.xml Thu May 23 07:24:40 2013 (r318848) @@ -51,6 +51,109 @@ Note: Please add new entries to the beg --> + + RT -- multiple vulnerabilities + + + rt38 + 3.83.8.17 + + + rt40 + 4.04.0.13 + + + + +

Thomas Sibley reports:

+
+

We discovered a number of security vulnerabilities which + affect both RT 3.8.x and RT 4.0.x. We are releasing RT + versions 3.8.17 and 4.0.13 to resolve these vulnerabilities, + as well as patches which apply atop all released versions of + 3.8 and 4.0.

+

The vulnerabilities addressed by 3.8.17, 4.0.13, and the + below patches include the following:

+

RT 4.0.0 and above are vulnerable to a limited privilege + escalation leading to unauthorized modification of ticket + data. The DeleteTicket right and any custom lifecycle + transition rights may be bypassed by any user with + ModifyTicket. This vulnerability is assigned + CVE-2012-4733.

+

RT 3.8.0 and above include a version of bin/rt that uses + semi-predictable names when creating tempfiles. This could + possibly be exploited by a malicious user to overwrite files + with permissions of the user running bin/rt. This + vulnerability is assigned CVE-2013-3368.

+

RT 3.8.0 and above allow calling of arbitrary Mason + components (without control of arguments) for users who can + see administration pages. This could be used by a malicious + user to run private components which may have negative + side-effects. This vulnerability is assigned + CVE-2013-3369.

+

RT 3.8.0 and above allow direct requests to private + callback components. Though no callback components ship + with RT, this could be used to exploit an extension or local + callback which uses the arguments passed to it insecurely. + This vulnerability is assigned CVE-2013-3370.

+

RT 3.8.3 and above are vulnerable to cross-site scripting + (XSS) via attachment filenames. The vector is difficult to + exploit due to parsing requirements. Additionally, RT 4.0.0 + and above are vulnerable to XSS via maliciously-crafted + "URLs" in ticket content when RT's "MakeClicky" feature is + configured. Although not believed to be exploitable in the + stock configuration, a patch is also included for RTIR 2.6.x + to add bulletproofing. These vulnerabilities are assigned + CVE-2013-3371.

+

RT 3.8.0 and above are vulnerable to an HTTP header + injection limited to the value of the Content-Disposition + header. Injection of other arbitrary response headers is + not possible. Some (especially older) browsers may allow + multiple Content-Disposition values which could lead to XSS. + Newer browsers contain security measures to prevent this. + Thank you to Dominic Hargreaves for reporting this + vulnerability. This vulnerability is assigned + CVE-2013-3372.

+

RT 3.8.0 and above are vulnerable to a MIME header + injection in outgoing email generated by RT. The vectors + via RT's stock templates are resolved by this patchset, but + any custom email templates should be updated to ensure that + values interpolated into mail headers do not contain + newlines. This vulnerability is assigned CVE-2013-3373.

+

RT 3.8.0 and above are vulnerable to limited session + re-use when using the file-based session store, + Apache::Session::File. RT's default session configuration + only uses Apache::Session::File for Oracle. RT instances + using Oracle may be locally configured to use the + database-backed Apache::Session::Oracle, in which case + sessions are never re-used. The extent of session re-use is + limited to information leaks of certain user preferences and + caches, such as queue names available for ticket creation. + Thank you to Jenny Martin for reporting the problem that + lead to discovery of this vulnerability. This vulnerability + is assigned CVE-2013-3374.

+
+ +
+ + http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html + http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html + http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html + CVE-2012-4733 + CVE-2013-3368 + CVE-2013-3369 + CVE-2013-3370 + CVE-2013-3371 + CVE-2013-3372 + CVE-2013-3373 + CVE-2013-3374 + + + 2013-05-22 + 2013-05-23 + +
+ chromium -- multiple vulnerabilities Modified: head/www/rt38/Makefile ============================================================================== --- head/www/rt38/Makefile Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt38/Makefile Thu May 23 07:24:40 2013 (r318848) @@ -8,7 +8,7 @@ # o install a sample into etc/apache22/Includes PORTNAME= rt -PORTVERSION= 3.8.16 +PORTVERSION= 3.8.17 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \ ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/ Modified: head/www/rt38/distinfo ============================================================================== --- head/www/rt38/distinfo Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt38/distinfo Thu May 23 07:24:40 2013 (r318848) @@ -1,2 +1,2 @@ -SHA256 (rt-3.8.16.tar.gz) = 8a0bdb9fc2938ffe21111127d5777ef5d3107195c2597cb35c5c0a44dc4ca045 -SIZE (rt-3.8.16.tar.gz) = 5650272 +SHA256 (rt-3.8.17.tar.gz) = d9cd8b239712f25d38619791ab9f8d60c57f001cc0df2caeb2ccb7ad9f8a4acd +SIZE (rt-3.8.17.tar.gz) = 5728368 Modified: head/www/rt40/Makefile ============================================================================== --- head/www/rt40/Makefile Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt40/Makefile Thu May 23 07:24:40 2013 (r318848) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= rt -PORTVERSION= 4.0.12 +PORTVERSION= 4.0.13 CATEGORIES= www MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \ ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/ Modified: head/www/rt40/distinfo ============================================================================== --- head/www/rt40/distinfo Thu May 23 07:11:47 2013 (r318847) +++ head/www/rt40/distinfo Thu May 23 07:24:40 2013 (r318848) @@ -1,2 +1,2 @@ -SHA256 (rt-4.0.12.tar.gz) = ce246da3c5f03144d3070a2419ccc0756496501f143f343b52b96cb2adec09da -SIZE (rt-4.0.12.tar.gz) = 6895082 +SHA256 (rt-4.0.13.tar.gz) = b8c516e6b99a38476eb0e0d6336d11056e322a2143e01c96e42f4586a68bf999 +SIZE (rt-4.0.13.tar.gz) = 6895248