svn commit: r308867 - head/www/hastymail2

Aldis Berjoza graudeejs at gmail.com
Thu Dec 13 21:42:28 UTC 2012 

   13.12.2012, 22:55, "Chris Rees" <utisoft at gmail.com>:

     On 13 Dec 2012 20:18, "Eitan Adler" <[1]eadler at freebsd.org> wrote:
     >
     > On 13 December 2012 14:44, Beech Rintoul
     <[2]beech at freebsdnorth.com> wrote:
     > > On Thursday 13 December 2012 10:30:54 Beech Rintoul wrote:
     > >> On Thursday 13 December 2012 10:08:45 Eitan Adler wrote:
     > >> > On 13 December 2012 14:04, Beech Rintoul
     <[3]beech at freebsd.org> wrote:
     > >> > > Author: beech
     > >> > > Date: Thu Dec 13 19:04:56 2012
     > >> > > New Revision: 308867
     > >> > > URL: [4]http://svnweb.freebsd.org/changeset/ports/308867
     > >> > >
     > >> > > Log:
     > >> > > - Update to 1.1 final.
     > >> > > - Security vulnerabilities are fixed in this version.
     > >> >
     > >> > Which ones? Is there a vuxml to go along with this?
     > >>
     > >> No vuxml and no mention of security vulnerabilities in previous
     pr's. The
     > >> website shows the following which doesn't appear anywhere else:
     > >>
     > >> Two security issues have been recently discovered in Hastymail.
     Both are
     > >> fixed in this latest release. All users are encouraged to
     upgrade to the
     > >> 1.1 version to protect themselves from these issues.
     > >>
     > >> Remote code execution: In order for this issue to be
     exploitable sites must
     > >> have the notices plugin enabled in Hastymail, and
     register_globals and
     > >> allow_url_fopen enabled in PHP. It is STRONGLY recommended that
     you do not
     > >> have register_globals enabled in PHP. Upgrading to the 1.1
     version resolves
     > >> this bug, or you can update the
     hastymail2/plugins/notices/test_sounds.php
     > >> file to the latest version in SVN found here:
     > >>
     > >>
     [5]http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hasty
     mail2/plu
     > >> gins/notices/test_sound.php?revision=2074
     > >>
     > >> XXS exploit on thread view: Shai Rod reported an issue on the
     thread view
     > >> page that allows specially crafted message subjects to execute
     javascript
     > >> code when viewed on the thread view page. Several files had to
     be modified
     > >> to correct this issue so it is recommended that sites upgrade
     to version
     > >> 1.1 to mitigate this issue.
     > >
     > > This is the second maintainer timeout, the first being pr 165549
     from February
     > > 29. I'm wondering if this port should go back to the pool as
     > > [6]graudeejs at gmail.com hasn't responded.
     >
     > Yes, it should be - its been over 3 months without a reply or
     update.
     > He also timed out on a security related PR. Please reset.

     Before you do so, can we see if he replies to his other email
     address (CCd)?

     Chris

   Hello!
   I've been berried with work for the last year. Unfortunatly I also
   don't have my own server.
   I'd be glad if this port was given back to pool.

   --
   Aldis Berjoza
   FreeBSD addict

References

   1. mailto:eadler at freebsd.org
   2. mailto:beech at freebsdnorth.com
   3. mailto:beech at freebsd.org
   4. http://svnweb.freebsd.org/changeset/ports/308867
   5. http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plu
   6. mailto:graudeejs at gmail.com

More information about the svn-ports-all mailing list