From owner-svn-ports-all@FreeBSD.ORG  Thu Dec 13 19:31:01 2012
Return-Path: <owner-svn-ports-all@FreeBSD.ORG>
Delivered-To: svn-ports-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id DD2983C9;
 Thu, 13 Dec 2012 19:31:01 +0000 (UTC)
 (envelope-from beech@freebsdnorth.com)
Received: from bsdevel2.freebsdnorth.com (bsdevel2.freebsdnorth.com
 [204.109.60.222])
 by mx1.freebsd.org (Postfix) with ESMTP id B229D8FC19;
 Thu, 13 Dec 2012 19:31:01 +0000 (UTC)
Received: from tom1.akherb.com (akbeech-1-pt.tunnel.tserv14.sea1.ipv6.he.net
 [IPv6:2001:470:a:333::2])
 by bsdevel2.freebsdnorth.com (Postfix) with ESMTPA id C97A3184E2;
 Thu, 13 Dec 2012 19:23:09 +0000 (UTC)
From: Beech Rintoul <beech@freebsdnorth.com>
To: Eitan Adler <eadler@freebsd.org>
Subject: Re: svn commit: r308867 - head/www/hastymail2
Date: Thu, 13 Dec 2012 10:30:54 -0900
User-Agent: KMail/1.13.7 (FreeBSD/9.1-PRERELEASE; KDE/4.8.4; i386; ; )
References: <201212131904.qBDJ4u9M095797@svn.freebsd.org>
 <CAF6rxgmsHq=GfsPvCkQJQD168RjToYxQ+ziotvyLWrJgHfeF0w@mail.gmail.com>
In-Reply-To: <CAF6rxgmsHq=GfsPvCkQJQD168RjToYxQ+ziotvyLWrJgHfeF0w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201212131030.54563.beech@freebsdnorth.com>
Cc: svn-ports-head@freebsd.org, svn-ports-all@freebsd.org,
 ports-secteam@freebsd.org, Beech Rintoul <beech@freebsd.org>,
 ports-committers@freebsd.org
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2012 19:31:02 -0000

On Thursday 13 December 2012 10:08:45 Eitan Adler wrote:
> On 13 December 2012 14:04, Beech Rintoul <beech@freebsd.org> wrote:
> > Author: beech
> > Date: Thu Dec 13 19:04:56 2012
> > New Revision: 308867
> > URL: http://svnweb.freebsd.org/changeset/ports/308867
> > 
> > Log:
> >   - Update to 1.1 final.
> >   - Security vulnerabilities are fixed in this version.
> 
> Which ones? Is there a vuxml to go along with this?

No vuxml and no mention of security vulnerabilities in previous pr's. The 
website shows the following which doesn't appear anywhere else:

Two security issues have been recently discovered in Hastymail. Both are fixed 
in this latest release. All users are encouraged to upgrade to the 1.1 version 
to protect themselves from these issues.

Remote code execution: In order for this issue to be exploitable sites must 
have the notices plugin enabled in Hastymail, and register_globals and 
allow_url_fopen enabled in  PHP. It is STRONGLY recommended that you do not 
have register_globals enabled in PHP. Upgrading to the 1.1 version resolves 
this bug, or you can update the hastymail2/plugins/notices/test_sounds.php 
file to the latest version in SVN found here:

 http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plugins/notices/test_sound.php?revision=2074

XXS exploit on thread view: Shai Rod reported an issue on the thread view page 
that allows specially crafted message subjects to execute javascript code when 
viewed on the thread view page. Several files had to be modified to correct 
this issue so it is recommended that sites upgrade to version 1.1 to mitigate 
this issue.