From owner-cvs-all@FreeBSD.ORG Tue Apr 10 05:15:48 2012 Return-Path: Delivered-To: cvs-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 427CF106564A; Tue, 10 Apr 2012 05:15:48 +0000 (UTC) (envelope-from ohauer@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 2D0428FC16; Tue, 10 Apr 2012 05:15:48 +0000 (UTC) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id q3A5FmmO096078; Tue, 10 Apr 2012 05:15:48 GMT (envelope-from ohauer@repoman.freebsd.org) Received: (from ohauer@localhost) by repoman.freebsd.org (8.14.4/8.14.4/Submit) id q3A5FmFo096077; Tue, 10 Apr 2012 05:15:48 GMT (envelope-from ohauer) Message-Id: <201204100515.q3A5FmFo096077@repoman.freebsd.org> From: Olli Hauer Date: Tue, 10 Apr 2012 05:15:48 +0000 (UTC) To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org X-FreeBSD-CVS-Branch: HEAD Cc: Subject: cvs commit: ports/devel/bugzilla Makefile distinfo ports/german/bugzilla Makefile distinfo ports/russian/bugzilla-ru Makefile distinfo pkg-plist X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: **OBSOLETE** CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Apr 2012 05:15:48 -0000 ohauer 2012-04-10 05:15:48 UTC FreeBSD ports repository Modified files: devel/bugzilla Makefile distinfo german/bugzilla Makefile distinfo russian/bugzilla-ru Makefile distinfo pkg-plist Log: - update to 4.0.5 Vulnerability Details ===================== Class: Cross-Site Request Forgery Versions: 4.0.2 to 4.0.4, 4.1.1 to 4.2rc2 Fixed In: 4.0.5, 4.2 Description: Due to a lack of validation of the enctype form attribute when making POST requests to xmlrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious HTML code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the XML-RPC API on a site running mod_perl. Sites running under mod_cgi are not affected. Also the user would have had to be already logged in to the target site for the vulnerability to work. References: https://bugzilla.mozilla.org/show_bug.cgi?id=725663 CVE Number: CVE-2012-0453 Approved by: skv (implicit) Revision Changes Path 1.92 +1 -1 ports/devel/bugzilla/Makefile 1.49 +2 -2 ports/devel/bugzilla/distinfo 1.6 +1 -1 ports/german/bugzilla/Makefile 1.5 +2 -2 ports/german/bugzilla/distinfo 1.15 +3 -2 ports/russian/bugzilla-ru/Makefile 1.10 +2 -2 ports/russian/bugzilla-ru/distinfo 1.7 +0 -1 ports/russian/bugzilla-ru/pkg-plist