Date: Sat, 6 Apr 2002 22:19:28 +0200 (CEST) From: Thierry Thomas <thierry@pompo.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: <security-officer@FreeBSD.org> Subject: ports/36820: Security: upgrade www/horde and mail/imp to prevent potential CSS Message-ID: <20020406201928.3C4F2750D@graf.pompo.net>
next in thread | raw e-mail | index | archive | help
>Number: 36820 >Category: ports >Synopsis: Security: upgrade www/horde and mail/imp to prevent potential CSS >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Apr 06 12:30:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Thierry Thomas >Release: FreeBSD 4.5-STABLE i386 >Organization: Kabbale Eros >Environment: System: FreeBSD graf.pompo.net 4.5-STABLE FreeBSD 4.5-STABLE #0: Sat Mar 9 11:54:44 CET 2002 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386 >Description: Hereunder is the official announce from "Brent J. Nordquist" <bjn@horde.org> on the Horde's announce list and on bugtraq: The Horde team announces the availability of IMP 2.2.8, which prevents some potential cross-site scripting (CSS) attacks. Site administrators should consider upgrading to IMP 3 (our first recommendation), but if this is not possible, IMP 2.2.8 should be used to prevent these potential attacks. >How-To-Repeat: N/A. >Fix: Pre-requisites: please commit PR ports/35740. Then apply the following patches: 1) Patch against www/horde diff -ur /usr/ports/www/horde.orig/Makefile /usr/ports/www/horde/Makefile --- /usr/ports/www/horde.orig/Makefile Sun Feb 17 14:58:26 2002 +++ /usr/ports/www/horde/Makefile Sat Apr 6 21:19:57 2002 @@ -7,7 +7,7 @@ # PORTNAME= horde -PORTVERSION= 1.2.7 +PORTVERSION= 1.2.8 CATEGORIES= www MASTER_SITES= ftp://ftp.horde.org/pub/horde/tarballs/ diff -ur /usr/ports/www/horde.orig/distinfo /usr/ports/www/horde/distinfo --- /usr/ports/www/horde.orig/distinfo Mon Nov 12 20:40:06 2001 +++ /usr/ports/www/horde/distinfo Sat Apr 6 21:31:43 2002 @@ -1 +1 @@ -MD5 (horde-1.2.7.tar.gz) = 2433ed0e67739c41021b1a9397130a96 +MD5 (horde-1.2.8.tar.gz) = 96ae6dcf03cab2637c14c13d556049e0 2) Patch against mail/imp diff -ur /usr/ports/mail/imp.orig/Makefile /usr/ports/mail/imp/Makefile --- /usr/ports/mail/imp.orig/Makefile Sun Mar 10 15:33:49 2002 +++ /usr/ports/mail/imp/Makefile Sat Apr 6 21:27:55 2002 @@ -7,7 +7,7 @@ # PORTNAME= imp -PORTVERSION= 2.2.7 +PORTVERSION= 2.2.8 CATEGORIES= mail www MASTER_SITES= ftp://ftp.horde.org/pub/imp/tarballs/ diff -ur /usr/ports/mail/imp.orig/distinfo /usr/ports/mail/imp/distinfo --- /usr/ports/mail/imp.orig/distinfo Wed Nov 14 22:27:23 2001 +++ /usr/ports/mail/imp/distinfo Sat Apr 6 21:31:34 2002 @@ -1 +1 @@ -MD5 (imp-2.2.7.tar.gz) = b5c683e1dc862fd185c9be0ce7188894 +MD5 (imp-2.2.8.tar.gz) = 9f0e442f61ce542b945016bee2736d2f >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020406201928.3C4F2750D>