Date: Thu, 15 Nov 2012 08:50:06 +0000 (UTC) From: Beat Gaetzi <beat@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r307442 - in branches/RELENG_9_1_0: devel/bugzilla devel/bugzilla3 devel/bugzilla42 german/bugzilla german/bugzilla/files german/bugzilla3 german/bugzilla3/files german/bugzilla42 germa... Message-ID: <201211150850.qAF8o6Gk053786@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: beat Date: Thu Nov 15 08:50:06 2012 New Revision: 307442 URL: http://svnweb.freebsd.org/changeset/ports/307442 Log: MFH 307425 by ohauer: - bugzilla security updates to version(s) 3.6.11, 4.0.8, 4.2.4 Summary ======= The following security issues have been discovered in Bugzilla: * Confidential product and component names can be disclosed to unauthorized users if they are used to control the visibility of a custom field. * When calling the 'User.get' WebService method with a 'groups' argument, it is possible to check if the given group names exist or not. * Due to incorrectly filtered field values in tabular reports, it is possible to inject code which can lead to XSS. * When trying to mark an attachment in a bug you cannot see as obsolete, the description of the attachment is disclosed in the error message. * A vulnerability in swfstore.swf from YUI2 can lead to XSS. Feature safe: yes Security: CVE-2012-4199 https://bugzilla.mozilla.org/show_bug.cgi?id=731178 CVE-2012-4198 https://bugzilla.mozilla.org/show_bug.cgi?id=781850 CVE-2012-4189 https://bugzilla.mozilla.org/show_bug.cgi?id=790296 CVE-2012-4197 https://bugzilla.mozilla.org/show_bug.cgi?id=802204 CVE-2012-5475 https://bugzilla.mozilla.org/show_bug.cgi?id=808845 http://yuilibrary.com/support/20121030-vulnerability/ MFH 307429 by ohauer: - adjust required PgSQL module for bugzilla42 From Release Notes: PostgreSQL 9.2 requires DBD::Pg 2.19.3. (Bug 799721) No revision bump, p5-DBD-Pg-2.19.3 a) not on per default b) in the tree since a view months - add deprecation message to bugzilla3 From the announcement: Note that when Bugzilla 4.4 is released, the Bugzilla 3.6.x series will reach end of life. If you are using that series, we encourage you to upgrade to 4.2.4 now. http://groups.google.com/group/mozilla.support.bugzilla/browse_thread/thread/d8dcc99be0f89421 MFH 307430 by ohauer: - fix german bugzilla templates (security fixes) Added: branches/RELENG_9_1_0/german/bugzilla/files/ - copied from r307430, head/german/bugzilla/files/ branches/RELENG_9_1_0/german/bugzilla3/files/ - copied from r307430, head/german/bugzilla3/files/ branches/RELENG_9_1_0/german/bugzilla42/files/ - copied from r307430, head/german/bugzilla42/files/ Modified: branches/RELENG_9_1_0/devel/bugzilla/Makefile branches/RELENG_9_1_0/devel/bugzilla/distinfo branches/RELENG_9_1_0/devel/bugzilla3/Makefile branches/RELENG_9_1_0/devel/bugzilla3/distinfo branches/RELENG_9_1_0/devel/bugzilla42/Makefile branches/RELENG_9_1_0/devel/bugzilla42/distinfo branches/RELENG_9_1_0/german/bugzilla/Makefile branches/RELENG_9_1_0/german/bugzilla3/Makefile branches/RELENG_9_1_0/german/bugzilla42/Makefile branches/RELENG_9_1_0/security/vuxml/vuln.xml Directory Properties: branches/RELENG_9_1_0/ (props changed) Modified: branches/RELENG_9_1_0/devel/bugzilla/Makefile ============================================================================== --- branches/RELENG_9_1_0/devel/bugzilla/Makefile Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/devel/bugzilla/Makefile Thu Nov 15 08:50:06 2012 (r307442) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 4.0.8 +PORTVERSION= 4.0.9 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived Modified: branches/RELENG_9_1_0/devel/bugzilla/distinfo ============================================================================== --- branches/RELENG_9_1_0/devel/bugzilla/distinfo Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/devel/bugzilla/distinfo Thu Nov 15 08:50:06 2012 (r307442) @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.0.8.tar.gz) = 0d44ab29863ffe6ef7637f078c31e52805f1b2ff0ff4f5c39a0d7daebe326b0c -SIZE (bugzilla/bugzilla-4.0.8.tar.gz) = 2801982 +SHA256 (bugzilla/bugzilla-4.0.9.tar.gz) = af79b2f2b39f428e19122707d1334db5e447742ca6098f74803c35277117e394 +SIZE (bugzilla/bugzilla-4.0.9.tar.gz) = 2803607 Modified: branches/RELENG_9_1_0/devel/bugzilla3/Makefile ============================================================================== --- branches/RELENG_9_1_0/devel/bugzilla3/Makefile Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/devel/bugzilla3/Makefile Thu Nov 15 08:50:06 2012 (r307442) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 3.6.11 +PORTVERSION= 3.6.12 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived @@ -28,6 +28,9 @@ USE_PERL5= yes BINMODE= 700 +DEPRECATED= Note that when Bugzilla 4.4 is released, the Bugzilla 3.6.x \ + series will reach end of life + SUB_FILES= pkg-message DATA_DIRS_LIST= images js skins Modified: branches/RELENG_9_1_0/devel/bugzilla3/distinfo ============================================================================== --- branches/RELENG_9_1_0/devel/bugzilla3/distinfo Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/devel/bugzilla3/distinfo Thu Nov 15 08:50:06 2012 (r307442) @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-3.6.11.tar.gz) = 01b99ec5b1e6efc9d0a0352ebe2ea6e8b8c7471a3f4dd80c3b99b5be575c4585 -SIZE (bugzilla/bugzilla-3.6.11.tar.gz) = 2509551 +SHA256 (bugzilla/bugzilla-3.6.12.tar.gz) = 1b3ebd08545b0093cd64a6f2e6c1310c7e85e691c83bd79c10960329f1bdca77 +SIZE (bugzilla/bugzilla-3.6.12.tar.gz) = 2509580 Modified: branches/RELENG_9_1_0/devel/bugzilla42/Makefile ============================================================================== --- branches/RELENG_9_1_0/devel/bugzilla42/Makefile Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/devel/bugzilla42/Makefile Thu Nov 15 08:50:06 2012 (r307442) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= bugzilla -PORTVERSION= 4.2.3 +PORTVERSION= 4.2.4 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived @@ -60,7 +60,7 @@ RUN_DEPENDS+= p5-DBD-mysql>=4.0001:${POR .if ${PORT_OPTIONS:MPGSQL} USE_PGSQL= yes -RUN_DEPENDS+= p5-DBD-Pg>=1.45:${PORTSDIR}/databases/p5-DBD-Pg +RUN_DEPENDS+= p5-DBD-Pg>=2.19.3:${PORTSDIR}/databases/p5-DBD-Pg .endif .if ${PORT_OPTIONS:MSQLITE} Modified: branches/RELENG_9_1_0/devel/bugzilla42/distinfo ============================================================================== --- branches/RELENG_9_1_0/devel/bugzilla42/distinfo Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/devel/bugzilla42/distinfo Thu Nov 15 08:50:06 2012 (r307442) @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.2.3.tar.gz) = 712d645c5b2b081e42b2a364c26edf8a8a0048f463a426ac38cc482d31b11fb3 -SIZE (bugzilla/bugzilla-4.2.3.tar.gz) = 2977764 +SHA256 (bugzilla/bugzilla-4.2.4.tar.gz) = bede0cf893ad8ac99715614af0cf4624bc0e8552852f51290f546006105ce695 +SIZE (bugzilla/bugzilla-4.2.4.tar.gz) = 2976363 Modified: branches/RELENG_9_1_0/german/bugzilla/Makefile ============================================================================== --- branches/RELENG_9_1_0/german/bugzilla/Makefile Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/german/bugzilla/Makefile Thu Nov 15 08:50:06 2012 (r307442) @@ -2,7 +2,7 @@ PORTNAME= bugzilla PORTVERSION= 4.0.8 -#PORTREVISION= 1 +PORTREVISION= 1 CATEGORIES= german MASTER_SITES= SF MASTER_SITE_SUBDIR=bugzilla-de/${PORTVERSION:R}/${PORTVERSION} @@ -21,9 +21,10 @@ NO_WRKSUBDIR= yes LANGDIR= ${WWWDIR}/template/de -#post-patch: -# ${REINPLACE_CMD} -i '' -e 's/4.0.7/4.0.8/' \ -# ${WRKDIR}/de/default/global/gzversion.html.tmpl +post-patch: + @${REINPLACE_CMD} -i '' -e 's/4.0.8/4.0.9/' \ + ${WRKDIR}/de/default/global/gzversion.html.tmpl + @${FIND} ${WRKDIR}/de/default/ -type f \( -name \*.orig -o -name \*.bak \) -delete do-install: @-${MKDIR} ${LANGDIR} Modified: branches/RELENG_9_1_0/german/bugzilla3/Makefile ============================================================================== --- branches/RELENG_9_1_0/german/bugzilla3/Makefile Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/german/bugzilla3/Makefile Thu Nov 15 08:50:06 2012 (r307442) @@ -2,7 +2,7 @@ PORTNAME= bugzilla PORTVERSION= 3.6.11 -#PORTREVISION= 1 +PORTREVISION= 1 CATEGORIES= german MASTER_SITES= SF MASTER_SITE_SUBDIR=bugzilla-de/${PORTVERSION:R}/${PORTVERSION} @@ -21,9 +21,10 @@ NO_WRKSUBDIR= yes LANGDIR= ${WWWDIR}/template/de -#post-patch: -# ${REINPLACE_CMD} -i '' -e 's/3.6.10/3.6.11/' \ -# ${WRKDIR}/de/default/global/gzversion.html.tmpl +post-patch: + @${REINPLACE_CMD} -i '' -e 's/3.6.11/3.6.12/' \ + ${WRKDIR}/de/default/global/gzversion.html.tmpl + @${FIND} ${WRKDIR}/de/default/ -type f \( -name \*.orig -o -name \*.bak \) -delete do-install: @-${MKDIR} ${LANGDIR} Modified: branches/RELENG_9_1_0/german/bugzilla42/Makefile ============================================================================== --- branches/RELENG_9_1_0/german/bugzilla42/Makefile Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/german/bugzilla42/Makefile Thu Nov 15 08:50:06 2012 (r307442) @@ -2,7 +2,7 @@ PORTNAME= bugzilla PORTVERSION= 4.2.3 -#PORTREVISION= 1 +PORTREVISION= 1 CATEGORIES= german MASTER_SITES= SF MASTER_SITE_SUBDIR=bugzilla-de/${PORTVERSION:R}/${PORTVERSION} @@ -21,10 +21,10 @@ NO_WRKSUBDIR= yes LANGDIR= ${WWWDIR}/template/de -#post-patch: -# @${REINPLACE_CMD} -i '' -e 's/4.2.2/4.2.3/' \ -# ${WRKDIR}/de/default/global/gzversion.html.tmpl -# @${FIND} ${WRKDIR} -type f -name \*.orig -delete +post-patch: + @${REINPLACE_CMD} -i '' -e 's/4.2.3/4.2.4/' \ + ${WRKDIR}/de/default/global/gzversion.html.tmpl + @${FIND} ${WRKDIR}/de/default/ -type f \( -name \*.orig -o -name \*.bak \) -delete do-install: @-${MKDIR} ${LANGDIR} Modified: branches/RELENG_9_1_0/security/vuxml/vuln.xml ============================================================================== --- branches/RELENG_9_1_0/security/vuxml/vuln.xml Thu Nov 15 08:28:11 2012 (r307441) +++ branches/RELENG_9_1_0/security/vuxml/vuln.xml Thu Nov 15 08:50:06 2012 (r307442) @@ -51,6 +51,63 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="2b841f88-2e8d-11e2-ad21-20cf30e32f6d"> + <topic>bugzilla -- multiple vulnerabilities</topic> + <affects> + <package> + <name>bugzilla</name> + <range><ge>3.6.0</ge><lt>3.6.12</lt></range> + <range><ge>4.0.0</ge><lt>4.0.9</lt></range> + <range><ge>4.2.0</ge><lt>4.2.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>A Bugzilla Security Advisory reports:</h1> + <blockquote cite="http://www.bugzilla.org/security/3.6.11/">; + <p>The following security issues have been discovered in + Bugzilla:</p> + <h1>Information Leak</h1> + <p>If the visibility of a custom field is controlled by a product + or a component of a product you cannot see, their names are + disclosed in the JavaScript code generated for this custom field + despite they should remain confidential.</p> + <p>Calling the User.get method with a 'groups' argument leaks the + existence of the groups depending on whether an error is thrown + or not. This method now also throws an error if the user calling + this method does not belong to these groups (independently of + whether the groups exist or not).</p> + <p>Trying to mark an attachment in a bug you cannot see as obsolete + discloses its description in the error message. The description + of the attachment is now removed from the error message.</p> + <h1>Cross-Site Scripting</h1> + <p>Due to incorrectly filtered field values in tabular reports, + it is possible to inject code leading to XSS.</p> + <p>A vulnerability in swfstore.swf from YUI2 allows JavaScript + injection exploits to be created against domains that host this + affected YUI .swf file.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-4199</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=731178</url>; + <cvename>CVE-2012-4198</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=781850</url>; + <cvename>CVE-2012-4197</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url>; + <cvename>CVE-2012-4189</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url>; + <cvename>CVE-2012-5475</cvename> + <url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url>; + <url>http://yuilibrary.com/support/20121030-vulnerability/</url>; + </references> + <dates> + <discovery>2012-11-13</discovery> + <entry>2012-11-14</entry> + </dates> + </vuln> + <vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee"> <topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211150850.qAF8o6Gk053786>