Date: Tue, 10 Apr 2012 05:15:48 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/devel/bugzilla Makefile distinfo ports/german/bugzilla Makefile distinfo ports/russian/bugzilla-ru Makefile distinfo pkg-plist Message-ID: <201204100515.q3A5FmFo096077@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
ohauer 2012-04-10 05:15:48 UTC
FreeBSD ports repository
Modified files:
devel/bugzilla Makefile distinfo
german/bugzilla Makefile distinfo
russian/bugzilla-ru Makefile distinfo pkg-plist
Log:
- update to 4.0.5
Vulnerability Details
=====================
Class: Cross-Site Request Forgery
Versions: 4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
Fixed In: 4.0.5, 4.2
Description: Due to a lack of validation of the enctype form
attribute when making POST requests to xmlrpc.cgi,
a possible CSRF vulnerability was discovered. If a user
visits an HTML page with some malicious HTML code in it,
an attacker could make changes to a remote Bugzilla installation
on behalf of the victim's account by using the XML-RPC API
on a site running mod_perl. Sites running under mod_cgi
are not affected. Also the user would have had to be
already logged in to the target site for the vulnerability
to work.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=725663
CVE Number: CVE-2012-0453
Approved by: skv (implicit)
Revision Changes Path
1.92 +1 -1 ports/devel/bugzilla/Makefile
1.49 +2 -2 ports/devel/bugzilla/distinfo
1.6 +1 -1 ports/german/bugzilla/Makefile
1.5 +2 -2 ports/german/bugzilla/distinfo
1.15 +3 -2 ports/russian/bugzilla-ru/Makefile
1.10 +2 -2 ports/russian/bugzilla-ru/distinfo
1.7 +0 -1 ports/russian/bugzilla-ru/pkg-plist
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201204100515.q3A5FmFo096077>