svn commit: r308867 - head/www/hastymail2

Adam Weinberger adamw at FreeBSD.org
Thu Dec 13 22:00:29 UTC 2012 

>> (2012/12/13 @ 1517 EST): Eitan Adler said, in 2.2K: <<
> On 13 December 2012 14:44, Beech Rintoul <beech at freebsdnorth.com> wrote:
> > On Thursday 13 December 2012 10:30:54 Beech Rintoul wrote:
> >> On Thursday 13 December 2012 10:08:45 Eitan Adler wrote:
> >> > On 13 December 2012 14:04, Beech Rintoul <beech at freebsd.org> wrote:
> >> > > Author: beech
> >> > > Date: Thu Dec 13 19:04:56 2012
> >> > > New Revision: 308867
> >> > > URL: http://svnweb.freebsd.org/changeset/ports/308867
> >> > >
> >> > > Log:
> >> > >   - Update to 1.1 final.
> >> > >   - Security vulnerabilities are fixed in this version.
> >> >
> >> > Which ones? Is there a vuxml to go along with this?
> >>
> >> No vuxml and no mention of security vulnerabilities in previous pr's. The
> >> website shows the following which doesn't appear anywhere else:
> >>
> >> Two security issues have been recently discovered in Hastymail. Both are
> >> fixed in this latest release. All users are encouraged to upgrade to the
> >> 1.1 version to protect themselves from these issues.
> >>
> >> Remote code execution: In order for this issue to be exploitable sites must
> >> have the notices plugin enabled in Hastymail, and register_globals and
> >> allow_url_fopen enabled in  PHP. It is STRONGLY recommended that you do not
> >> have register_globals enabled in PHP. Upgrading to the 1.1 version resolves
> >> this bug, or you can update the hastymail2/plugins/notices/test_sounds.php
> >> file to the latest version in SVN found here:
> >>
> >>  http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plu
> >> gins/notices/test_sound.php?revision=2074
> >>
> >> XXS exploit on thread view: Shai Rod reported an issue on the thread view
> >> page that allows specially crafted message subjects to execute javascript
> >> code when viewed on the thread view page. Several files had to be modified
> >> to correct this issue so it is recommended that sites upgrade to version
> >> 1.1 to mitigate this issue.
> >
> > This is the second maintainer timeout, the first being pr 165549 from February
> > 29. I'm wondering if this port should go back to the pool as
> > graudeejs at gmail.com hasn't responded.
> 
> Yes, it should be - its been over 3 months without a reply or update.
> He also timed out on a security related PR.  Please reset.
> 
>> end of "Re: svn commit: r308867 - head/www/hastymail2" from Eitan Adler <<

He also failed to respond at all to 171669.

# Adam


--
Adam Weinberger
adamw at adamw.org
http://www.adamw.org

More information about the svn-ports-all mailing list