Date: Mon, 30 Jul 2012 12:42:32 +0000 (UTC) From: Ryan Steinmetz <zi@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r301716 - in head: net/isc-dhcp41-server security/vuxml Message-ID: <201207301242.q6UCgWWd093626@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: zi Date: Mon Jul 30 12:42:32 2012 New Revision: 301716 URL: http://svn.freebsd.org/changeset/ports/301716 Log: - Update net/isc-dhcp41-server to 4.1-ESV-R6 [1] - Document vulnerabilities in net/isc-dhcp41-server - Cleanup formatting in vuxml PR: ports/170245 [1] Submitted by: Douglas Thrift <douglas@douglasthrift.net> (maintainer) [1] Security: c7fa3618-d5ff-11e1-90a2-000c299b62e1 Modified: head/net/isc-dhcp41-server/Makefile head/net/isc-dhcp41-server/distinfo head/security/vuxml/vuln.xml Modified: head/net/isc-dhcp41-server/Makefile ============================================================================== --- head/net/isc-dhcp41-server/Makefile Mon Jul 30 12:10:39 2012 (r301715) +++ head/net/isc-dhcp41-server/Makefile Mon Jul 30 12:42:32 2012 (r301716) @@ -21,10 +21,10 @@ COMMENT?= The ISC Dynamic Host Configura LICENSE= ISCL -PATCHLEVEL= R5 -PORTREVISION_SERVER= 4 -PORTREVISION_CLIENT= 1 -PORTREVISION_RELAY= 4 +PATCHLEVEL= R6 +PORTREVISION_SERVER= 5 +PORTREVISION_CLIENT= 2 +PORTREVISION_RELAY= 5 SUBSYS?= server WRKSRC= ${WRKDIR}/${PORTNAME}-${DISTVERSION}-${PATCHLEVEL} Modified: head/net/isc-dhcp41-server/distinfo ============================================================================== --- head/net/isc-dhcp41-server/distinfo Mon Jul 30 12:10:39 2012 (r301715) +++ head/net/isc-dhcp41-server/distinfo Mon Jul 30 12:42:32 2012 (r301716) @@ -1,4 +1,4 @@ -SHA256 (dhcp-4.1-ESV-R5.tar.gz) = c028fd6f9c1fff38fd0ae21cc89a70912e0eb759ea1019fb25b145cf14527583 -SIZE (dhcp-4.1-ESV-R5.tar.gz) = 1120684 +SHA256 (dhcp-4.1-ESV-R6.tar.gz) = deb666a1ab02dd1375c0ebd237ce1fcb3e4d9e7be520d25ba25f1f40eb0ead9e +SIZE (dhcp-4.1-ESV-R6.tar.gz) = 1121186 SHA256 (ldap-for-dhcp-4.1.1-2.tar.gz) = 566b7be2ebefdc583d0bf0095c804ba69807b67e5cc29a2b64b1b39202b37d0d SIZE (ldap-for-dhcp-4.1.1-2.tar.gz) = 39004 Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Mon Jul 30 12:10:39 2012 (r301715) +++ head/security/vuxml/vuln.xml Mon Jul 30 12:42:32 2012 (r301716) @@ -67,28 +67,28 @@ Note: Please add new entries to the beg <h1>A Bugzilla Security Advisory reports:</h1> <blockquote cite="http://www.bugzilla.org/security/3.6.9/">; <p>The following security issues have been discovered in - Bugzilla:</p> + Bugzilla:</p> <h1>Information Leak</h1> <p>Versions: 4.1.1 to 4.2.1, 4.3.1</p> <p>In HTML bugmails, all bug IDs and attachment IDs are - linkified, and hovering these links displays a tooltip - with the bug summary or the attachment description if - the user is allowed to see the bug or attachment. - But when validating user permissions when generating the - email, the permissions of the user who edited the bug were - taken into account instead of the permissions of the - addressee. This means that confidential information could - be disclosed to the addressee if the other user has more - privileges than the addressee. - Plain text bugmails are not affected as bug and attachment - IDs are not linkified.</p> + linkified, and hovering these links displays a tooltip + with the bug summary or the attachment description if + the user is allowed to see the bug or attachment. + But when validating user permissions when generating the + email, the permissions of the user who edited the bug were + taken into account instead of the permissions of the + addressee. This means that confidential information could + be disclosed to the addressee if the other user has more + privileges than the addressee. + Plain text bugmails are not affected as bug and attachment + IDs are not linkified.</p> <h1>Information Leak</h1> - <p>Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to - 4.2.1, 4.3.1</p> + <p>Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to + 4.2.1, 4.3.1</p> <p>The description of a private attachment could be visible - to a user who hasn't permissions to access this attachment - if the attachment ID is mentioned in a public comment in - a bug that the user can see.</p> + to a user who hasn't permissions to access this attachment + if the attachment ID is mentioned in a public comment in + a bug that the user can see.</p> </blockquote> </body> </description> @@ -176,13 +176,13 @@ Note: Please add new entries to the beg <p>The RT development team reports:</p> <blockquote cite="http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html">; <p>RT::Authen::ExternalAuth 0.10 and below (for all versions - of RT) are vulnerable to an escalation of privilege attack - where the URL of a RSS feed of the user can be used to - acquire a fully logged-in session as that user. - CVE-2012-2770 has been assigned to this vulnerability.</p> + of RT) are vulnerable to an escalation of privilege attack + where the URL of a RSS feed of the user can be used to + acquire a fully logged-in session as that user. + CVE-2012-2770 has been assigned to this vulnerability.</p> <p>Users of RT 3.8.2 and above should upgrade to - RT::Authen::ExternalAuth 0.11, which resolves this - vulnerability.</p> + RT::Authen::ExternalAuth 0.11, which resolves this + vulnerability.</p> </blockquote> </body> </description> @@ -200,6 +200,10 @@ Note: Please add new entries to the beg <topic>isc-dhcp -- multiple vulnerabilities</topic> <affects> <package> + <name>isc-dhcp41-server</name> + <range><lt>4.1.e_5,2</lt></range> + </package> + <package> <name>isc-dhcp42-server</name> <range><lt>4.2.4_1</lt></range> </package>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207301242.q6UCgWWd093626>