Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Apr 2012 10:48:00 +0200
From:      Baptiste Daroussin <bapt@FreeBSD.org>
To:        Olli Hauer <ohauer@FreeBSD.org>
Cc:        cvs-ports@FreeBSD.org, ports-committers@FreeBSD.org
Subject:   Re: cvs commit: ports/devel/bugzilla Makefile distinfo ports/german/bugzilla Makefile distinfo ports/russian/bugzilla-ru Makefile distinfo pkg-plist
Message-ID:  <20120410084800.GF90364@azathoth.lan>
In-Reply-To: <201204100515.q3A5FmFo096077@repoman.freebsd.org>
References:  <201204100515.q3A5FmFo096077@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

--aPdhxNJGSeOG9wFI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

would be nice to rename russian/buzilla-ru into russian/bugzilla to avoir h=
aving
a package named: ru-bugzilla-ru

regards,
Bapt
On Tue, Apr 10, 2012 at 05:15:48AM +0000, Olli Hauer wrote:
> ohauer      2012-04-10 05:15:48 UTC
>=20
>   FreeBSD ports repository
>=20
>   Modified files:
>     devel/bugzilla       Makefile distinfo=20
>     german/bugzilla      Makefile distinfo=20
>     russian/bugzilla-ru  Makefile distinfo pkg-plist=20
>   Log:
>   - update to 4.0.5
>  =20
>   Vulnerability Details
>   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>  =20
>   Class:       Cross-Site Request Forgery
>   Versions:    4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
>   Fixed In:    4.0.5, 4.2
>   Description: Due to a lack of validation of the enctype form
>                attribute when making POST requests to xmlrpc.cgi,
>                a possible CSRF vulnerability was discovered. If a user
>                visits an HTML page with some malicious HTML code in it,
>                an attacker could make changes to a remote Bugzilla instal=
lation
>                on behalf of the victim's account by using the XML-RPC API
>                on a site running mod_perl. Sites running under mod_cgi
>                are not affected. Also the user would have had to be
>                already logged in to the target site for the vulnerability
>                to work.
>   References:  https://bugzilla.mozilla.org/show_bug.cgi?id=3D725663
>   CVE Number:  CVE-2012-0453
>  =20
>   Approved by:    skv (implicit)
>  =20
>   Revision  Changes    Path
>   1.92      +1 -1      ports/devel/bugzilla/Makefile
>   1.49      +2 -2      ports/devel/bugzilla/distinfo
>   1.6       +1 -1      ports/german/bugzilla/Makefile
>   1.5       +2 -2      ports/german/bugzilla/distinfo
>   1.15      +3 -2      ports/russian/bugzilla-ru/Makefile
>   1.10      +2 -2      ports/russian/bugzilla-ru/distinfo
>   1.7       +0 -1      ports/russian/bugzilla-ru/pkg-plist

--aPdhxNJGSeOG9wFI
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAk+D88AACgkQ8kTtMUmk6EwC5QCgmTA1frHEtdXefQPBAH3vhXFy
iiYAoJbt64vQZsDpumGWoJFUpT3//e53
=3I+t
-----END PGP SIGNATURE-----

--aPdhxNJGSeOG9wFI--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120410084800.GF90364>