Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 13 Dec 2012 15:17:32 -0500
From:      Eitan Adler <eadler@freebsd.org>
To:        Beech Rintoul <beech@freebsdnorth.com>
Cc:        svn-ports-head@freebsd.org, ports-secteam@freebsd.org, Beech Rintoul <beech@freebsd.org>, svn-ports-all@freebsd.org, ports-committers@freebsd.org, portmgr@freebsd.org
Subject:   Re: svn commit: r308867 - head/www/hastymail2
Message-ID:  <CAF6rxgm96QC1wYDDs-h0EXkqZn6t5KX=_FvaDLkSGoAbJBdxOA@mail.gmail.com>
In-Reply-To: <201212131044.23185.beech@freebsdnorth.com>
References:  <201212131904.qBDJ4u9M095797@svn.freebsd.org> <CAF6rxgmsHq=GfsPvCkQJQD168RjToYxQ%2BziotvyLWrJgHfeF0w@mail.gmail.com> <201212131030.54563.beech@freebsdnorth.com> <201212131044.23185.beech@freebsdnorth.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 13 December 2012 14:44, Beech Rintoul <beech@freebsdnorth.com> wrote:
> On Thursday 13 December 2012 10:30:54 Beech Rintoul wrote:
>> On Thursday 13 December 2012 10:08:45 Eitan Adler wrote:
>> > On 13 December 2012 14:04, Beech Rintoul <beech@freebsd.org> wrote:
>> > > Author: beech
>> > > Date: Thu Dec 13 19:04:56 2012
>> > > New Revision: 308867
>> > > URL: http://svnweb.freebsd.org/changeset/ports/308867
>> > >
>> > > Log:
>> > >   - Update to 1.1 final.
>> > >   - Security vulnerabilities are fixed in this version.
>> >
>> > Which ones? Is there a vuxml to go along with this?
>>
>> No vuxml and no mention of security vulnerabilities in previous pr's. The
>> website shows the following which doesn't appear anywhere else:
>>
>> Two security issues have been recently discovered in Hastymail. Both are
>> fixed in this latest release. All users are encouraged to upgrade to the
>> 1.1 version to protect themselves from these issues.
>>
>> Remote code execution: In order for this issue to be exploitable sites must
>> have the notices plugin enabled in Hastymail, and register_globals and
>> allow_url_fopen enabled in  PHP. It is STRONGLY recommended that you do not
>> have register_globals enabled in PHP. Upgrading to the 1.1 version resolves
>> this bug, or you can update the hastymail2/plugins/notices/test_sounds.php
>> file to the latest version in SVN found here:
>>
>>  http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plu
>> gins/notices/test_sound.php?revision=2074
>>
>> XXS exploit on thread view: Shai Rod reported an issue on the thread view
>> page that allows specially crafted message subjects to execute javascript
>> code when viewed on the thread view page. Several files had to be modified
>> to correct this issue so it is recommended that sites upgrade to version
>> 1.1 to mitigate this issue.
>
> This is the second maintainer timeout, the first being pr 165549 from February
> 29. I'm wondering if this port should go back to the pool as
> graudeejs@gmail.com hasn't responded.

Yes, it should be - its been over 3 months without a reply or update.
He also timed out on a security related PR.  Please reset.



-- 
Eitan Adler
Source, Ports, Doc committer
Bugmeister, Ports Security teams



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxgm96QC1wYDDs-h0EXkqZn6t5KX=_FvaDLkSGoAbJBdxOA>