cvs commit: ports/devel/bugzilla Makefile distinfo
ports/german/bugzilla Makefile distinfo ports/russian/bugzilla-ru
Makefile distinfo pkg-plist
Olli Hauer
ohauer at FreeBSD.org
Tue Apr 10 05:15:48 UTC 2012
ohauer 2012-04-10 05:15:48 UTC
FreeBSD ports repository
Modified files:
devel/bugzilla Makefile distinfo
german/bugzilla Makefile distinfo
russian/bugzilla-ru Makefile distinfo pkg-plist
Log:
- update to 4.0.5
Vulnerability Details
=====================
Class: Cross-Site Request Forgery
Versions: 4.0.2 to 4.0.4, 4.1.1 to 4.2rc2
Fixed In: 4.0.5, 4.2
Description: Due to a lack of validation of the enctype form
attribute when making POST requests to xmlrpc.cgi,
a possible CSRF vulnerability was discovered. If a user
visits an HTML page with some malicious HTML code in it,
an attacker could make changes to a remote Bugzilla installation
on behalf of the victim's account by using the XML-RPC API
on a site running mod_perl. Sites running under mod_cgi
are not affected. Also the user would have had to be
already logged in to the target site for the vulnerability
to work.
References: https://bugzilla.mozilla.org/show_bug.cgi?id=725663
CVE Number: CVE-2012-0453
Approved by: skv (implicit)
Revision Changes Path
1.92 +1 -1 ports/devel/bugzilla/Makefile
1.49 +2 -2 ports/devel/bugzilla/distinfo
1.6 +1 -1 ports/german/bugzilla/Makefile
1.5 +2 -2 ports/german/bugzilla/distinfo
1.15 +3 -2 ports/russian/bugzilla-ru/Makefile
1.10 +2 -2 ports/russian/bugzilla-ru/distinfo
1.7 +0 -1 ports/russian/bugzilla-ru/pkg-plist
More information about the cvs-ports
mailing list