From owner-freebsd-ports-bugs@FreeBSD.ORG Wed Aug 21 12:40:02 2013 Return-Path: Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id DDD98163 for ; Wed, 21 Aug 2013 12:40:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id BC287283B for ; Wed, 21 Aug 2013 12:40:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r7LCe2m6042896 for ; Wed, 21 Aug 2013 12:40:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r7LCe2np042895; Wed, 21 Aug 2013 12:40:02 GMT (envelope-from gnats) Resent-Date: Wed, 21 Aug 2013 12:40:02 GMT Resent-Message-Id: <201308211240.r7LCe2np042895@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Steve Wills Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 91BA97C for ; Wed, 21 Aug 2013 12:37:45 +0000 (UTC) (envelope-from swills@mouf.net) Received: from mouf.net (mouf.net [IPv6:2607:fc50:0:4400:216:3eff:fe69:33b3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 2B9BF2808 for ; Wed, 21 Aug 2013 12:37:45 +0000 (UTC) Received: from meatwad.mouf.net (cpe-107-015-170-205.nc.res.rr.com [107.15.170.205]) by mouf.net (8.14.5/8.14.5) with ESMTP id r7LCbZmC047632 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Aug 2013 12:37:40 GMT (envelope-from swills@meatwad.mouf.net) Received: (from swills@localhost) by meatwad.mouf.net (8.14.7/8.14.5/Submit) id r7LCbW4Q063598; Wed, 21 Aug 2013 12:37:32 GMT (envelope-from swills) Message-Id: <201308211237.r7LCbW4Q063598@meatwad.mouf.net> Date: Wed, 21 Aug 2013 12:37:32 GMT From: Steve Wills To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: ports/181453: [PATCH] www/py27-graphite-web: update to 0.9.11 and fix security issue Cc: bsdports@wayfair.com X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Aug 2013 12:40:02 -0000 >Number: 181453 >Category: ports >Synopsis: [PATCH] www/py27-graphite-web: update to 0.9.11 and fix security issue >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Aug 21 12:40:02 UTC 2013 >Closed-Date: >Last-Modified: >Originator: Steve Wills >Release: FreeBSD 10.0-CURRENT amd64 >Organization: >Environment: System: FreeBSD meatwad.mouf.net 10.0-CURRENT FreeBSD 10.0-CURRENT #0 r253898: Sat Aug 3 00:09:09 >Description: - Update to 0.9.11 - Fix security issue Port maintainer (bsdports@wayfair.com) is cc'd. Generated with FreeBSD Port Tools 0.99_8 (mode: update, diff: SVN) >How-To-Repeat: >Fix: --- py27-graphite-web-0.9.11.patch begins here --- Index: Makefile =================================================================== --- Makefile (revision 325114) +++ Makefile (working copy) @@ -2,11 +2,9 @@ # $FreeBSD$ PORTNAME= graphite-web -PORTVERSION= 0.9.10 -PORTREVISION= 1 +PORTVERSION= 0.9.11 CATEGORIES= www python -#MASTER_SITES= CHEESESHOP \ -MASTER_SITES= https://github.com/downloads/graphite-project/${PORTNAME}/ +MASTER_SITES= https://github.com/graphite-project/${PORTNAME}/archive/${PORTVERSION}.tar.gz?dummy= PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= bsdports@wayfair.com @@ -14,10 +12,10 @@ RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cairo>=1.8.10:${PORTSDIR}/graphics/py-cairo \ ${PYTHON_PKGNAMEPREFIX}carbon>=${PORTVERSION}:${PORTSDIR}/databases/py-carbon \ - ${PYTHON_PKGNAMEPREFIX}django>=1.3.1:${PORTSDIR}/www/py-django \ + ${PYTHON_PKGNAMEPREFIX}django>=1.4:${PORTSDIR}/www/py-django \ ${PYTHON_PKGNAMEPREFIX}django-tagging>=0.3.1:${PORTSDIR}/www/py-django-tagging -FETCH_ARGS= -pRr +FETCH_ARGS= -o ${DISTNAME}${EXTRACT_SUFX} USE_PYTHON= -2.7 USE_PYDISTUTILS=yes Index: distinfo =================================================================== --- distinfo (revision 325114) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (graphite-web-0.9.10.tar.gz) = 4fd1d16cac3980fddc09dbf0a72243c7ae32444903258e1b65e28428a48948be -SIZE (graphite-web-0.9.10.tar.gz) = 2117421 +SHA256 (graphite-web-0.9.11.tar.gz) = 1aeb0fa2dd346725ca067a42a366dd9f90072d0d8b660026211ce3e37103e4e3 +SIZE (graphite-web-0.9.11.tar.gz) = 2333562 Index: files/patch-webapp-graphite-local__settings.py.example =================================================================== --- files/patch-webapp-graphite-local__settings.py.example (revision 325114) +++ files/patch-webapp-graphite-local__settings.py.example (working copy) @@ -39,16 +39,3 @@ ##################################### -@@ -156,6 +167,12 @@ - #DATABASE_PASSWORD = 'graphite-is-awesome' - #DATABASE_HOST = 'mysql.mycompany.com' - #DATABASE_PORT = '3306' -+DATABASES = { -+ 'default': { -+ 'NAME': '/usr/local/graphite/storage/graphite.db', -+ 'ENGINE': 'django.db.backends.sqlite3', -+ } -+} - - - ######################### Index: pkg-plist =================================================================== --- pkg-plist (revision 325114) +++ pkg-plist (working copy) @@ -54,6 +54,7 @@ graphite/webapp/content/img/arrow1.gif graphite/webapp/content/img/blank.gif graphite/webapp/content/img/calBt.gif +graphite/webapp/content/img/carbon-fiber.png graphite/webapp/content/img/clock_16.png graphite/webapp/content/img/delete.gif graphite/webapp/content/img/error.png @@ -62,11 +63,26 @@ graphite/webapp/content/img/graphite_short.png graphite/webapp/content/img/indicator.png graphite/webapp/content/img/leaf.gif +graphite/webapp/content/img/line_chart.png graphite/webapp/content/img/mini-bottom2.gif graphite/webapp/content/img/mini-top2.gif graphite/webapp/content/img/save.gif graphite/webapp/content/img/searching.gif graphite/webapp/content/img/updateGraph.gif +graphite/webapp/content/js/ace/ace.js +graphite/webapp/content/js/ace/keybinding-vim.js +graphite/webapp/content/js/ace/mode-c_cpp.js +graphite/webapp/content/js/ace/mode-clojure.js +graphite/webapp/content/js/ace/mode-coffee.js +graphite/webapp/content/js/ace/mode-csharp.js +graphite/webapp/content/js/ace/mode-css.js +graphite/webapp/content/js/ace/mode-groovy.js +graphite/webapp/content/js/ace/mode-html.js +graphite/webapp/content/js/ace/mode-java.js +graphite/webapp/content/js/ace/mode-javascript.js +graphite/webapp/content/js/ace/mode-json.js +graphite/webapp/content/js/ace/theme-textmate.js +graphite/webapp/content/js/ace/worker-javascript.js graphite/webapp/content/js/browser.js graphite/webapp/content/js/cli.js graphite/webapp/content/js/completer.js @@ -797,6 +813,7 @@ @dirrm graphite/webapp/content/js/ext/adapter/ext @dirrm graphite/webapp/content/js/ext/adapter @dirrm graphite/webapp/content/js/ext +@dirrm graphite/webapp/content/js/ace @dirrm graphite/webapp/content/js @dirrm graphite/webapp/content/img @dirrm graphite/webapp/content/html --- py27-graphite-web-0.9.11.patch ends here --- --- vuln.xml.patch begins here --- Index: vuln.xml =================================================================== --- vuln.xml (revision 325081) +++ vuln.xml (working copy) @@ -51,6 +51,50 @@ --> + + py-graphite-web -- Multiple vulnerabilities + + + py26-graphite-web + 0.9.11 + + + py27-graphite-web + 0.9.11 + + + py31-graphite-web + 0.9.11 + + + py32-graphite-web + 0.9.11 + + + py33-graphite-web + 0.9.11 + + + + +

Graphite developers report:

+
+

This release contains several security fixes for cross-site + scripting (XSS) as well as a fix for a remote-execution exploit in + graphite-web (CVE-2013-5903).

+
+ +
+ + CVE-2013-5093 + https://github.com/rapid7/metasploit-framework/pull/2260 + + + 2013-08-21 + 2013-08-21 + +
+ gstreamer-ffmpeg -- Multiple vulnerabilities in bundled libav --- vuln.xml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted: