cvs commit: ports/devel/bugzilla Makefile distinfo ports/german/bugzilla Makefile distinfo ports/russian/bugzilla-ru Makefile distinfo pkg-plist

Olli Hauer ohauer at
Tue Apr 10 05:15:48 UTC 2012

ohauer      2012-04-10 05:15:48 UTC

  FreeBSD ports repository

  Modified files:
    devel/bugzilla       Makefile distinfo 
    german/bugzilla      Makefile distinfo 
    russian/bugzilla-ru  Makefile distinfo pkg-plist 
  - update to 4.0.5
  Vulnerability Details
  Class:       Cross-Site Request Forgery
  Versions:    4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
  Fixed In:    4.0.5, 4.2
  Description: Due to a lack of validation of the enctype form
               attribute when making POST requests to xmlrpc.cgi,
               a possible CSRF vulnerability was discovered. If a user
               visits an HTML page with some malicious HTML code in it,
               an attacker could make changes to a remote Bugzilla installation
               on behalf of the victim's account by using the XML-RPC API
               on a site running mod_perl. Sites running under mod_cgi
               are not affected. Also the user would have had to be
               already logged in to the target site for the vulnerability
               to work.
  CVE Number:  CVE-2012-0453
  Approved by:    skv (implicit)
  Revision  Changes    Path
  1.92      +1 -1      ports/devel/bugzilla/Makefile
  1.49      +2 -2      ports/devel/bugzilla/distinfo
  1.6       +1 -1      ports/german/bugzilla/Makefile
  1.5       +2 -2      ports/german/bugzilla/distinfo
  1.15      +3 -2      ports/russian/bugzilla-ru/Makefile
  1.10      +2 -2      ports/russian/bugzilla-ru/distinfo
  1.7       +0 -1      ports/russian/bugzilla-ru/pkg-plist

More information about the cvs-ports mailing list