svn commit: r318848 - in head: security/vuxml www/rt38 www/rt40
Matthew Seaman
matthew at FreeBSD.org
Thu May 23 07:24:42 UTC 2013
Author: matthew
Date: Thu May 23 07:24:40 2013
New Revision: 318848
URL: http://svnweb.freebsd.org/changeset/ports/318848
Log:
Security Updates
- www/rt40 to 4.0.13
- www/rt38 to 3.8.17 [1]
This is a security fix addressing a number of CVEs:
CVE-2012-4733
CVE-2013-3368
CVE-2013-3369
CVE-2013-3370
CVE-2013-3371
CVE-2013-3372
CVE-2013-3373
CVE-2013-3374
Users will need to update their database schemas as described in
pkg-message
Approved by: flo [1]
Security: 3a429192-c36a-11e2-97a9-6805ca0b3d42
Modified:
head/security/vuxml/vuln.xml
head/www/rt38/Makefile
head/www/rt38/distinfo
head/www/rt40/Makefile
head/www/rt40/distinfo
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu May 23 07:11:47 2013 (r318847)
+++ head/security/vuxml/vuln.xml Thu May 23 07:24:40 2013 (r318848)
@@ -51,6 +51,109 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="3a429192-c36a-11e2-97a9-6805ca0b3d42">
+ <topic>RT -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>rt38</name>
+ <range><ge>3.8</ge><lt>3.8.17</lt></range>
+ </package>
+ <package>
+ <name>rt40</name>
+ <range><ge>4.0</ge><lt>4.0.13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Thomas Sibley reports:</p>
+ <blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html">
+ <p>We discovered a number of security vulnerabilities which
+ affect both RT 3.8.x and RT 4.0.x. We are releasing RT
+ versions 3.8.17 and 4.0.13 to resolve these vulnerabilities,
+ as well as patches which apply atop all released versions of
+ 3.8 and 4.0.</p>
+ <p>The vulnerabilities addressed by 3.8.17, 4.0.13, and the
+ below patches include the following:</p>
+ <p>RT 4.0.0 and above are vulnerable to a limited privilege
+ escalation leading to unauthorized modification of ticket
+ data. The DeleteTicket right and any custom lifecycle
+ transition rights may be bypassed by any user with
+ ModifyTicket. This vulnerability is assigned
+ CVE-2012-4733.</p>
+ <p>RT 3.8.0 and above include a version of bin/rt that uses
+ semi-predictable names when creating tempfiles. This could
+ possibly be exploited by a malicious user to overwrite files
+ with permissions of the user running bin/rt. This
+ vulnerability is assigned CVE-2013-3368.</p>
+ <p>RT 3.8.0 and above allow calling of arbitrary Mason
+ components (without control of arguments) for users who can
+ see administration pages. This could be used by a malicious
+ user to run private components which may have negative
+ side-effects. This vulnerability is assigned
+ CVE-2013-3369.</p>
+ <p>RT 3.8.0 and above allow direct requests to private
+ callback components. Though no callback components ship
+ with RT, this could be used to exploit an extension or local
+ callback which uses the arguments passed to it insecurely.
+ This vulnerability is assigned CVE-2013-3370.</p>
+ <p>RT 3.8.3 and above are vulnerable to cross-site scripting
+ (XSS) via attachment filenames. The vector is difficult to
+ exploit due to parsing requirements. Additionally, RT 4.0.0
+ and above are vulnerable to XSS via maliciously-crafted
+ "URLs" in ticket content when RT's "MakeClicky" feature is
+ configured. Although not believed to be exploitable in the
+ stock configuration, a patch is also included for RTIR 2.6.x
+ to add bulletproofing. These vulnerabilities are assigned
+ CVE-2013-3371.</p>
+ <p>RT 3.8.0 and above are vulnerable to an HTTP header
+ injection limited to the value of the Content-Disposition
+ header. Injection of other arbitrary response headers is
+ not possible. Some (especially older) browsers may allow
+ multiple Content-Disposition values which could lead to XSS.
+ Newer browsers contain security measures to prevent this.
+ Thank you to Dominic Hargreaves for reporting this
+ vulnerability. This vulnerability is assigned
+ CVE-2013-3372.</p>
+ <p>RT 3.8.0 and above are vulnerable to a MIME header
+ injection in outgoing email generated by RT. The vectors
+ via RT's stock templates are resolved by this patchset, but
+ any custom email templates should be updated to ensure that
+ values interpolated into mail headers do not contain
+ newlines. This vulnerability is assigned CVE-2013-3373.</p>
+ <p>RT 3.8.0 and above are vulnerable to limited session
+ re-use when using the file-based session store,
+ Apache::Session::File. RT's default session configuration
+ only uses Apache::Session::File for Oracle. RT instances
+ using Oracle may be locally configured to use the
+ database-backed Apache::Session::Oracle, in which case
+ sessions are never re-used. The extent of session re-use is
+ limited to information leaks of certain user preferences and
+ caches, such as queue names available for ticket creation.
+ Thank you to Jenny Martin for reporting the problem that
+ lead to discovery of this vulnerability. This vulnerability
+ is assigned CVE-2013-3374.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html</url>
+ <url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html</url>
+ <url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html</url>
+ <cvename>CVE-2012-4733</cvename>
+ <cvename>CVE-2013-3368</cvename>
+ <cvename>CVE-2013-3369</cvename>
+ <cvename>CVE-2013-3370</cvename>
+ <cvename>CVE-2013-3371</cvename>
+ <cvename>CVE-2013-3372</cvename>
+ <cvename>CVE-2013-3373</cvename>
+ <cvename>CVE-2013-3374</cvename>
+ </references>
+ <dates>
+ <discovery>2013-05-22</discovery>
+ <entry>2013-05-23</entry>
+ </dates>
+ </vuln>
+
<vuln vid="358133b5-c2b9-11e2-a738-00262d5ed8ee">
<topic>chromium -- multiple vulnerabilities</topic>
<affects>
Modified: head/www/rt38/Makefile
==============================================================================
--- head/www/rt38/Makefile Thu May 23 07:11:47 2013 (r318847)
+++ head/www/rt38/Makefile Thu May 23 07:24:40 2013 (r318848)
@@ -8,7 +8,7 @@
# o install a sample into etc/apache22/Includes
PORTNAME= rt
-PORTVERSION= 3.8.16
+PORTVERSION= 3.8.17
CATEGORIES= www
MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \
ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/
Modified: head/www/rt38/distinfo
==============================================================================
--- head/www/rt38/distinfo Thu May 23 07:11:47 2013 (r318847)
+++ head/www/rt38/distinfo Thu May 23 07:24:40 2013 (r318848)
@@ -1,2 +1,2 @@
-SHA256 (rt-3.8.16.tar.gz) = 8a0bdb9fc2938ffe21111127d5777ef5d3107195c2597cb35c5c0a44dc4ca045
-SIZE (rt-3.8.16.tar.gz) = 5650272
+SHA256 (rt-3.8.17.tar.gz) = d9cd8b239712f25d38619791ab9f8d60c57f001cc0df2caeb2ccb7ad9f8a4acd
+SIZE (rt-3.8.17.tar.gz) = 5728368
Modified: head/www/rt40/Makefile
==============================================================================
--- head/www/rt40/Makefile Thu May 23 07:11:47 2013 (r318847)
+++ head/www/rt40/Makefile Thu May 23 07:24:40 2013 (r318848)
@@ -1,7 +1,7 @@
# $FreeBSD$
PORTNAME= rt
-PORTVERSION= 4.0.12
+PORTVERSION= 4.0.13
CATEGORIES= www
MASTER_SITES= http://download.bestpractical.com/pub/rt/release/ \
ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/
Modified: head/www/rt40/distinfo
==============================================================================
--- head/www/rt40/distinfo Thu May 23 07:11:47 2013 (r318847)
+++ head/www/rt40/distinfo Thu May 23 07:24:40 2013 (r318848)
@@ -1,2 +1,2 @@
-SHA256 (rt-4.0.12.tar.gz) = ce246da3c5f03144d3070a2419ccc0756496501f143f343b52b96cb2adec09da
-SIZE (rt-4.0.12.tar.gz) = 6895082
+SHA256 (rt-4.0.13.tar.gz) = b8c516e6b99a38476eb0e0d6336d11056e322a2143e01c96e42f4586a68bf999
+SIZE (rt-4.0.13.tar.gz) = 6895248
More information about the svn-ports-all
mailing list