Date: Fri, 10 Jun 2016 01:17:31 +0000 (UTC) From: Jason Unovitch <junovitch@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r416649 - in branches/2016Q2/mail/roundcube: . files Message-ID: <201606100117.u5A1HV5L044593@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: junovitch Date: Fri Jun 10 01:17:30 2016 New Revision: 416649 URL: https://svnweb.freebsd.org/changeset/ports/416649 Log: MFH: r414979 r416648 Update to 1.1.5 release. Apply patch from upstream for cross-site scripting vulnerability PR: 209841 Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com> Approved by: maintainer timeout (2 weeks) Security: CVE-2016-5103 Security: https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html Approved by: ports-secteam (with hat) Added: branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103 - copied unchanged from r416648, head/mail/roundcube/files/patch-CVE-2016-5103 Modified: branches/2016Q2/mail/roundcube/Makefile branches/2016Q2/mail/roundcube/distinfo Directory Properties: branches/2016Q2/ (props changed) Modified: branches/2016Q2/mail/roundcube/Makefile ============================================================================== --- branches/2016Q2/mail/roundcube/Makefile Fri Jun 10 01:15:58 2016 (r416648) +++ branches/2016Q2/mail/roundcube/Makefile Fri Jun 10 01:17:30 2016 (r416649) @@ -1,11 +1,11 @@ # $FreeBSD$ PORTNAME= roundcube -DISTVERSION= 1.1.4 +DISTVERSION= 1.1.5 PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES?= mail www -MASTER_SITES= SF/${PORTNAME}mail/${PORTNAME}mail/${DISTVERSION:tu} +MASTER_SITES= https://github.com/roundcube/roundcubemail/releases/download/${DISTVERSION}/ DISTNAME= ${PORTNAME}mail-${DISTVERSION}-complete MAINTAINER?= ale@FreeBSD.org @@ -25,7 +25,7 @@ CPE_VENDOR= roundcube WANT_PHP_WEB= yes USE_PHP= pcre mbstring session iconv dom xml json intl zip filter -IGNORE_WITH_PHP=52 +IGNORE_WITH_PHP=70 OPTIONS_DEFINE= SSL LDAP GD PSPELL NSC DOCS OPTIONS_SINGLE= DB Modified: branches/2016Q2/mail/roundcube/distinfo ============================================================================== --- branches/2016Q2/mail/roundcube/distinfo Fri Jun 10 01:15:58 2016 (r416648) +++ branches/2016Q2/mail/roundcube/distinfo Fri Jun 10 01:17:30 2016 (r416649) @@ -1,2 +1,2 @@ -SHA256 (roundcubemail-1.1.4-complete.tar.gz) = 9bfe88255d4ffc288f5776de1cead78352469b1766d5ebaebe6e28043affe181 -SIZE (roundcubemail-1.1.4-complete.tar.gz) = 4578600 +SHA256 (roundcubemail-1.1.5-complete.tar.gz) = 476a1d45b0592b2ad43e3e08cbc72e69ef31e33ed8a8f071f02e5a1ae3e7f334 +SIZE (roundcubemail-1.1.5-complete.tar.gz) = 4581781 Copied: branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103 (from r416648, head/mail/roundcube/files/patch-CVE-2016-5103) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103 Fri Jun 10 01:17:30 2016 (r416649, copy of r416648, head/mail/roundcube/files/patch-CVE-2016-5103) @@ -0,0 +1,19 @@ +commit 6652367d656de7e5f404935be04e10aa281add53 +Author: Aleksander Machniak <alec@alec.pl> +Date: Fri May 6 08:28:15 2016 +0200 + + Fix XSS issue in href attribute on area tag (#5240, #5241) + +diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +index 5938d9b..d03f04a 100644 +--- program/lib/Roundcube/rcube_washtml.php ++++ program/lib/Roundcube/rcube_washtml.php +@@ -370,7 +370,7 @@ class rcube_washtml + */ + private function is_link_attribute($tag, $attr) + { +- return $tag == 'a' && $attr == 'href'; ++ return ($tag == 'a' || $tag == 'area') && $attr == 'href'; + } + + /**
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606100117.u5A1HV5L044593>