From owner-svn-ports-all@FreeBSD.ORG Thu Dec 13 20:18:04 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 85A36C4 for ; Thu, 13 Dec 2012 20:18:04 +0000 (UTC) (envelope-from lists@eitanadler.com) Received: from mail-la0-f54.google.com (mail-la0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id E4FA88FC0C for ; Thu, 13 Dec 2012 20:18:03 +0000 (UTC) Received: by mail-la0-f54.google.com with SMTP id j13so2147038lah.13 for ; Thu, 13 Dec 2012 12:18:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eitanadler.com; s=0xdeadbeef; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=lz03KcfgWuXbbV4vuwnmAEhPIszl94NKOcBZgwMyeO4=; b=IsK057fR0cQpu/lY3JUDJVnq1AR395HGuCgYcnPiqUSd477xwoQTnNjgOgpLZoURrI s7IptI3EG+3H4LELgYE1Hd4pxW9cHUT8WcLssaZCqro1cI8bsB3GZZFqPXSL+U6tYqFL wtZp+zLK4XpLnAVQBr1Nqh2JJos6Qeln0LrR0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :x-gm-message-state; bh=lz03KcfgWuXbbV4vuwnmAEhPIszl94NKOcBZgwMyeO4=; b=b2H/LS1zDHjbHx4TDSa231tMi9S5S5l+IO9zrZjDxFc91616GJtYZfy86JeFnW1gMd SbrwVhU4hxlm80q+XT9Zf5XczuWOz8vQrqzDwYBHNX/yVN8WK+SV+/qxiW7s4y5+j6bs m0LH9znqoNc6ohAQLeFhGesqoU9+gCNmW2LUowX1UyR37MVf8AsRgfG9BBwZuWZ4YIBY SFd7zNU93IVOjFNiT5pULlvfn9AaZlZYsu9yaT1axNIMozmVnt+H/tj1MCd8pL/flX0g HPajj4n607E9S7uamoQiU6Vd2ikqe8robpd3atOCSDBHoz/cDX6gLb1QJ4i57SIjfoSn YXSA== Received: by 10.152.111.166 with SMTP id ij6mr430452lab.47.1355429882787; Thu, 13 Dec 2012 12:18:02 -0800 (PST) MIME-Version: 1.0 Sender: lists@eitanadler.com Received: by 10.112.149.225 with HTTP; Thu, 13 Dec 2012 12:17:32 -0800 (PST) In-Reply-To: <201212131044.23185.beech@freebsdnorth.com> References: <201212131904.qBDJ4u9M095797@svn.freebsd.org> <201212131030.54563.beech@freebsdnorth.com> <201212131044.23185.beech@freebsdnorth.com> From: Eitan Adler Date: Thu, 13 Dec 2012 15:17:32 -0500 X-Google-Sender-Auth: j3qPbqtMEB3hVet6ZyyW4LxxrHU Message-ID: Subject: Re: svn commit: r308867 - head/www/hastymail2 To: Beech Rintoul Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQkoLW1dMgfbVlMO+dsAM9q9YPy8XfdXXnnxpeirdaX0t0ZTBXidpFehBYDNrlENLavfnMdf Cc: svn-ports-head@freebsd.org, ports-secteam@freebsd.org, Beech Rintoul , svn-ports-all@freebsd.org, ports-committers@freebsd.org, portmgr@freebsd.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2012 20:18:04 -0000 On 13 December 2012 14:44, Beech Rintoul wrote: > On Thursday 13 December 2012 10:30:54 Beech Rintoul wrote: >> On Thursday 13 December 2012 10:08:45 Eitan Adler wrote: >> > On 13 December 2012 14:04, Beech Rintoul wrote: >> > > Author: beech >> > > Date: Thu Dec 13 19:04:56 2012 >> > > New Revision: 308867 >> > > URL: http://svnweb.freebsd.org/changeset/ports/308867 >> > > >> > > Log: >> > > - Update to 1.1 final. >> > > - Security vulnerabilities are fixed in this version. >> > >> > Which ones? Is there a vuxml to go along with this? >> >> No vuxml and no mention of security vulnerabilities in previous pr's. The >> website shows the following which doesn't appear anywhere else: >> >> Two security issues have been recently discovered in Hastymail. Both are >> fixed in this latest release. All users are encouraged to upgrade to the >> 1.1 version to protect themselves from these issues. >> >> Remote code execution: In order for this issue to be exploitable sites must >> have the notices plugin enabled in Hastymail, and register_globals and >> allow_url_fopen enabled in PHP. It is STRONGLY recommended that you do not >> have register_globals enabled in PHP. Upgrading to the 1.1 version resolves >> this bug, or you can update the hastymail2/plugins/notices/test_sounds.php >> file to the latest version in SVN found here: >> >> http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plu >> gins/notices/test_sound.php?revision=2074 >> >> XXS exploit on thread view: Shai Rod reported an issue on the thread view >> page that allows specially crafted message subjects to execute javascript >> code when viewed on the thread view page. Several files had to be modified >> to correct this issue so it is recommended that sites upgrade to version >> 1.1 to mitigate this issue. > > This is the second maintainer timeout, the first being pr 165549 from February > 29. I'm wondering if this port should go back to the pool as > graudeejs@gmail.com hasn't responded. Yes, it should be - its been over 3 months without a reply or update. He also timed out on a security related PR. Please reset. -- Eitan Adler Source, Ports, Doc committer Bugmeister, Ports Security teams