From owner-cvs-ports@FreeBSD.ORG  Wed Dec  8 19:18:29 2010
Return-Path: <owner-cvs-ports@FreeBSD.ORG>
Delivered-To: cvs-ports@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C36C1065670;
	Wed,  8 Dec 2010 19:18:29 +0000 (UTC)
	(envelope-from pgollucci@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 4C17A8FC1B;
	Wed,  8 Dec 2010 19:18:29 +0000 (UTC)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.4/8.14.4) with ESMTP id oB8JITtT027565;
	Wed, 8 Dec 2010 19:18:29 GMT
	(envelope-from pgollucci@repoman.freebsd.org)
Received: (from pgollucci@localhost)
	by repoman.freebsd.org (8.14.4/8.14.4/Submit) id oB8JITsU027564;
	Wed, 8 Dec 2010 19:18:29 GMT (envelope-from pgollucci)
Message-Id: <201012081918.oB8JITsU027564@repoman.freebsd.org>
From: "Philip M. Gollucci" <pgollucci@FreeBSD.org>
Date: Wed, 8 Dec 2010 19:18:29 +0000 (UTC)
To: ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org
X-FreeBSD-CVS-Branch: HEAD
Cc: 
Subject: cvs commit: ports/www Makefile
 ports/www/rubygem-cgi_multipart_eof_fix Makefile distinfo pkg-descr
X-BeenThere: cvs-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: CVS commit messages for the ports tree <cvs-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-ports>
List-Post: <mailto:cvs-ports@freebsd.org>
List-Help: <mailto:cvs-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-ports>,
	<mailto:cvs-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Dec 2010 19:18:29 -0000

pgollucci    2010-12-08 19:18:29 UTC

  FreeBSD ports repository

  Modified files:
    www                  Makefile 
  Added files:
    www/rubygem-cgi_multipart_eof_fix Makefile distinfo pkg-descr 
  Log:
  Fixes an exploitable bug in CGI multipart parsing which affects Ruby <= 1.8.5.
  When multipart boundary attributes contain non-halting regular
  expression strings, the boundary searcher in the CGI module does not properly
  escape the parameter and will execute arbitrary regular expressions.
  This fix adds escaping for the user data.
  
      * Affected application servers: standalone CGI, Mongrel, WEBrick
      * Unaffected: FastCGI, Ruby 1.8.6 (all servers)
      * Unknown: mod_ruby
  
  This fix will not modify versions of Ruby greater than 1.8.5, and is
  cumulative with previous CGI multipart vulnerability fixes.
  
  WWW:    http://blog.evanweaver.com/#cgi_multipart_eof_fix
  
  Revision  Changes    Path
  1.2772    +1 -0      ports/www/Makefile
  1.1       +19 -0     ports/www/rubygem-cgi_multipart_eof_fix/Makefile (new)
  1.1       +2 -0      ports/www/rubygem-cgi_multipart_eof_fix/distinfo (new)
  1.1       +14 -0     ports/www/rubygem-cgi_multipart_eof_fix/pkg-descr (new)