svn commit: r308867 - head/www/hastymail2
Beech Rintoul
beech at freebsdnorth.com
Thu Dec 13 19:31:02 UTC 2012
On Thursday 13 December 2012 10:08:45 Eitan Adler wrote:
> On 13 December 2012 14:04, Beech Rintoul <beech at freebsd.org> wrote:
> > Author: beech
> > Date: Thu Dec 13 19:04:56 2012
> > New Revision: 308867
> > URL: http://svnweb.freebsd.org/changeset/ports/308867
> >
> > Log:
> > - Update to 1.1 final.
> > - Security vulnerabilities are fixed in this version.
>
> Which ones? Is there a vuxml to go along with this?
No vuxml and no mention of security vulnerabilities in previous pr's. The
website shows the following which doesn't appear anywhere else:
Two security issues have been recently discovered in Hastymail. Both are fixed
in this latest release. All users are encouraged to upgrade to the 1.1 version
to protect themselves from these issues.
Remote code execution: In order for this issue to be exploitable sites must
have the notices plugin enabled in Hastymail, and register_globals and
allow_url_fopen enabled in PHP. It is STRONGLY recommended that you do not
have register_globals enabled in PHP. Upgrading to the 1.1 version resolves
this bug, or you can update the hastymail2/plugins/notices/test_sounds.php
file to the latest version in SVN found here:
http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plugins/notices/test_sound.php?revision=2074
XXS exploit on thread view: Shai Rod reported an issue on the thread view page
that allows specially crafted message subjects to execute javascript code when
viewed on the thread view page. Several files had to be modified to correct
this issue so it is recommended that sites upgrade to version 1.1 to mitigate
this issue.
More information about the svn-ports-all
mailing list