From owner-svn-ports-all@FreeBSD.ORG Thu Dec 13 19:44:25 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2031482C; Thu, 13 Dec 2012 19:44:25 +0000 (UTC) (envelope-from beech@freebsdnorth.com) Received: from bsdevel2.freebsdnorth.com (unknown [IPv6:2607:fc50:1000:1900:216:3eff:fe35:3e51]) by mx1.freebsd.org (Postfix) with ESMTP id DAFCE8FC16; Thu, 13 Dec 2012 19:44:24 +0000 (UTC) Received: from tom1.akherb.com (akbeech-1-pt.tunnel.tserv14.sea1.ipv6.he.net [IPv6:2001:470:a:333::2]) by bsdevel2.freebsdnorth.com (Postfix) with ESMTPA id B8F0B184E2; Thu, 13 Dec 2012 19:36:38 +0000 (UTC) From: Beech Rintoul To: Eitan Adler Subject: Re: svn commit: r308867 - head/www/hastymail2 Date: Thu, 13 Dec 2012 10:44:22 -0900 User-Agent: KMail/1.13.7 (FreeBSD/9.1-PRERELEASE; KDE/4.8.4; i386; ; ) References: <201212131904.qBDJ4u9M095797@svn.freebsd.org> <201212131030.54563.beech@freebsdnorth.com> In-Reply-To: <201212131030.54563.beech@freebsdnorth.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <201212131044.23185.beech@freebsdnorth.com> Cc: svn-ports-head@freebsd.org, ports-secteam@freebsd.org, Beech Rintoul , svn-ports-all@freebsd.org, ports-committers@freebsd.org, portmgr@freebsd.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2012 19:44:25 -0000 On Thursday 13 December 2012 10:30:54 Beech Rintoul wrote: > On Thursday 13 December 2012 10:08:45 Eitan Adler wrote: > > On 13 December 2012 14:04, Beech Rintoul wrote: > > > Author: beech > > > Date: Thu Dec 13 19:04:56 2012 > > > New Revision: 308867 > > > URL: http://svnweb.freebsd.org/changeset/ports/308867 > > > > > > Log: > > > - Update to 1.1 final. > > > - Security vulnerabilities are fixed in this version. > > > > Which ones? Is there a vuxml to go along with this? > > No vuxml and no mention of security vulnerabilities in previous pr's. The > website shows the following which doesn't appear anywhere else: > > Two security issues have been recently discovered in Hastymail. Both are > fixed in this latest release. All users are encouraged to upgrade to the > 1.1 version to protect themselves from these issues. > > Remote code execution: In order for this issue to be exploitable sites must > have the notices plugin enabled in Hastymail, and register_globals and > allow_url_fopen enabled in PHP. It is STRONGLY recommended that you do not > have register_globals enabled in PHP. Upgrading to the 1.1 version resolves > this bug, or you can update the hastymail2/plugins/notices/test_sounds.php > file to the latest version in SVN found here: > > http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plu > gins/notices/test_sound.php?revision=2074 > > XXS exploit on thread view: Shai Rod reported an issue on the thread view > page that allows specially crafted message subjects to execute javascript > code when viewed on the thread view page. Several files had to be modified > to correct this issue so it is recommended that sites upgrade to version > 1.1 to mitigate this issue. This is the second maintainer timeout, the first being pr 165549 from February 29. I'm wondering if this port should go back to the pool as graudeejs@gmail.com hasn't responded. Beech