From owner-freebsd-ports Sat Apr 6 12:30:25 2002 Delivered-To: freebsd-ports@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2C13A37B41A for ; Sat, 6 Apr 2002 12:30:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g36KU1S65432; Sat, 6 Apr 2002 12:30:01 -0800 (PST) (envelope-from gnats) Received: from postfix1-2.free.fr (postfix1-2.free.fr [213.228.0.130]) by hub.freebsd.org (Postfix) with ESMTP id 7592937B43B; Sat, 6 Apr 2002 12:22:23 -0800 (PST) Received: from graf.pompo.net (lyon-5-a7-62-147-109-82.dial.proxad.net [62.147.109.82]) by postfix1-2.free.fr (Postfix) with ESMTP id DB5E6AB0E9; Sat, 6 Apr 2002 22:22:21 +0200 (CEST) Received: by graf.pompo.net (Postfix, from userid 1001) id 3C4F2750D; Sat, 6 Apr 2002 22:19:28 +0200 (CEST) Message-Id: <20020406201928.3C4F2750D@graf.pompo.net> Date: Sat, 6 Apr 2002 22:19:28 +0200 (CEST) From: Thierry Thomas Reply-To: Thierry Thomas To: FreeBSD-gnats-submit@FreeBSD.org Cc: X-Send-Pr-Version: 3.113 Subject: ports/36820: Security: upgrade www/horde and mail/imp to prevent potential CSS Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 36820 >Category: ports >Synopsis: Security: upgrade www/horde and mail/imp to prevent potential CSS >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Apr 06 12:30:01 PST 2002 >Closed-Date: >Last-Modified: >Originator: Thierry Thomas >Release: FreeBSD 4.5-STABLE i386 >Organization: Kabbale Eros >Environment: System: FreeBSD graf.pompo.net 4.5-STABLE FreeBSD 4.5-STABLE #0: Sat Mar 9 11:54:44 CET 2002 root@graf.pompo.net:/usr/obj/mntsrc/src/sys/GRAF010429 i386 >Description: Hereunder is the official announce from "Brent J. Nordquist" on the Horde's announce list and on bugtraq: The Horde team announces the availability of IMP 2.2.8, which prevents some potential cross-site scripting (CSS) attacks. Site administrators should consider upgrading to IMP 3 (our first recommendation), but if this is not possible, IMP 2.2.8 should be used to prevent these potential attacks. >How-To-Repeat: N/A. >Fix: Pre-requisites: please commit PR ports/35740. Then apply the following patches: 1) Patch against www/horde diff -ur /usr/ports/www/horde.orig/Makefile /usr/ports/www/horde/Makefile --- /usr/ports/www/horde.orig/Makefile Sun Feb 17 14:58:26 2002 +++ /usr/ports/www/horde/Makefile Sat Apr 6 21:19:57 2002 @@ -7,7 +7,7 @@ # PORTNAME= horde -PORTVERSION= 1.2.7 +PORTVERSION= 1.2.8 CATEGORIES= www MASTER_SITES= ftp://ftp.horde.org/pub/horde/tarballs/ diff -ur /usr/ports/www/horde.orig/distinfo /usr/ports/www/horde/distinfo --- /usr/ports/www/horde.orig/distinfo Mon Nov 12 20:40:06 2001 +++ /usr/ports/www/horde/distinfo Sat Apr 6 21:31:43 2002 @@ -1 +1 @@ -MD5 (horde-1.2.7.tar.gz) = 2433ed0e67739c41021b1a9397130a96 +MD5 (horde-1.2.8.tar.gz) = 96ae6dcf03cab2637c14c13d556049e0 2) Patch against mail/imp diff -ur /usr/ports/mail/imp.orig/Makefile /usr/ports/mail/imp/Makefile --- /usr/ports/mail/imp.orig/Makefile Sun Mar 10 15:33:49 2002 +++ /usr/ports/mail/imp/Makefile Sat Apr 6 21:27:55 2002 @@ -7,7 +7,7 @@ # PORTNAME= imp -PORTVERSION= 2.2.7 +PORTVERSION= 2.2.8 CATEGORIES= mail www MASTER_SITES= ftp://ftp.horde.org/pub/imp/tarballs/ diff -ur /usr/ports/mail/imp.orig/distinfo /usr/ports/mail/imp/distinfo --- /usr/ports/mail/imp.orig/distinfo Wed Nov 14 22:27:23 2001 +++ /usr/ports/mail/imp/distinfo Sat Apr 6 21:31:34 2002 @@ -1 +1 @@ -MD5 (imp-2.2.7.tar.gz) = b5c683e1dc862fd185c9be0ce7188894 +MD5 (imp-2.2.8.tar.gz) = 9f0e442f61ce542b945016bee2736d2f >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message