Date: Tue, 30 Mar 2004 05:55:55 -0800 (PST) From: Kang Liu <liukang@bjpu.edu.cn> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/64939: [maintainer] update www/phpbb to 2.0.8a Message-ID: <200403301355.i2UDttEs032075@www.freebsd.org> Resent-Message-ID: <200403301400.i2UE0VEi058744@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 64939
>Category: ports
>Synopsis: [maintainer] update www/phpbb to 2.0.8a
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Tue Mar 30 06:00:30 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Kang Liu
>Release: 4.9
>Organization:
Beijing University of Technology
>Environment:
4.9-STABLE
>Description:
1. Update phpbb to 2.0.8a
2. Remove temporary patch for SQL injection in privmsg.php. The new release has fixed this vulnerability.
3. Bump PORTREVISION
>How-To-Repeat:
n/a
>Fix:
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/www/phpbb/distinfo,v
retrieving revision 1.12
diff -u -r1.12 distinfo
--- distinfo 26 Mar 2004 17:06:30 -0000 1.12
+++ distinfo 30 Mar 2004 13:32:42 -0000
@@ -1,2 +1,2 @@
-MD5 (phpBB-2.0.8.tar.bz2) = 20d9e163e3f3b575639c2a1fbd9e8690
-SIZE (phpBB-2.0.8.tar.bz2) = 456585
+MD5 (phpBB-2.0.8a.tar.bz2) = 44d33a5851800f8f278d3c100fb2fcb3
+SIZE (phpBB-2.0.8a.tar.bz2) = 457308
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/phpbb/Makefile,v
retrieving revision 1.21
diff -u -r1.21 Makefile
--- Makefile 27 Mar 2004 15:07:16 -0000 1.21
+++ Makefile 30 Mar 2004 13:48:59 -0000
@@ -7,11 +7,11 @@
PORTNAME= phpbb
PORTVERSION= 2.0.8
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
-DISTNAME= phpBB-${PORTVERSION}
+DISTNAME= phpBB-${PORTVERSION}a
MAINTAINER= liukang@bjpu.edu.cn
COMMENT= A PHP-based bulletin board / discussion forum system
@@ -61,7 +61,6 @@
post-patch:
@ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \
${WRKSRC}/docs/*.html
- @ ${RM} ${WRKSRC}/*.orig
post-configure:
@ ${SED} \
--- files/patch-privmsg.php Sat Mar 27 23:07:16 2004
+++ /dev/null Tue Mar 30 21:33:27 2004
@@ -1,21 +0,0 @@
---- privmsg.php 2004-03-18 19:51:32.000000000 +0000
-+++ privmsg.1.php 2004-03-26 19:51:07.000000000 +0000
-@@ -212,7 +212,17 @@
- break;
- case 'savebox':
- $l_box_name = $lang['Savebox'];
-- $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
-+
-+ //
-+ // For some obscure reason, the assignment
-+ // concatenation operator was coded below, which
-+ // allowed an attacker to append arbitrary SQL code
-+ // to the end of the $pm_sql_user variable.
-+ // This is fixed below.
-+ //
-+ // -shaun2k2
-+ //
-+ $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
- AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
- OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
- AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403301355.i2UDttEs032075>