svn commit: r306803 - in head: security/vuxml www/rt38

Florian Smeets flo at FreeBSD.org
Thu Nov 1 14:10:56 UTC 2012 

Author: flo
Date: Thu Nov  1 14:10:55 2012
New Revision: 306803
URL: http://svn.freebsd.org/changeset/ports/306803

Log:
  Update to 3.8.15
  
  Security:	4b738d54-2427-11e2-9817-c8600054b392
  Feature safe:	yes

Modified:
  head/security/vuxml/vuln.xml
  head/www/rt38/Makefile
  head/www/rt38/distinfo   (contents, props changed)
  head/www/rt38/pkg-plist   (contents, props changed)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Nov  1 13:55:03 2012	(r306802)
+++ head/security/vuxml/vuln.xml	Thu Nov  1 14:10:55 2012	(r306803)
@@ -51,6 +51,65 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="4b738d54-2427-11e2-9817-c8600054b392">
+    <topic>RT -- Multiple Vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>rt40</name>
+	<range><ge>4.0</ge><lt>4.0.8</lt></range>
+      </package>
+      <package>
+	<name>rt38</name>
+	<range><lt>3.8.15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>BestPractical report:</p>
+	<blockquote cite="http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html">
+	  <p>All versions of RT are vulnerable to an email header injection
+	    attack. Users with ModifySelf or AdminUser can cause RT to add
+	    arbitrary headers or content to outgoing mail. Depending on the
+	    scrips that are configured, this may be be leveraged for information
+	    leakage or phishing.</p>
+	  <p>RT 4.0.0 and above and RTFM 2.0.0 and above contain a vulnerability
+	    due to lack of proper rights checking, allowing any privileged user
+	    to create Articles in any class.</p>
+	  <p>All versions of RT with cross-site-request forgery (CSRF)
+	    protection (RT 3.8.12 and above, RT 4.0.6 and above, and any
+	    instances running the security patches released 2012-05-22) contain
+	    a vulnerability which incorrectly allows though CSRF requests which
+	    toggle ticket bookmarks.</p>
+	  <p>All versions of RT are vulnerable to a confused deputy attack on
+	    the user. While not strictly a CSRF attack, users who are not logged
+	    in who are tricked into following a malicious link may, after
+	    supplying their credentials, be subject to an attack which leverages
+	    their credentials to modify arbitrary state. While users who were
+	    logged in would have observed the CSRF protection page, users who
+	    were not logged in receive no such warning due to the intervening
+	    login process. RT has been extended to notify users of pending
+	    actions during the login process.</p>
+	  <p>RT 3.8.0 and above are susceptible to a number of vulnerabilities
+	    concerning improper signing or encryption of messages using GnuPG;
+	    if GnuPG is not enabled, none of the following affect you.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-4730</cvename>
+      <cvename>CVE-2012-4731</cvename>
+      <cvename>CVE-2012-4732</cvename>
+      <cvename>CVE-2012-4734</cvename>
+      <cvename>CVE-2012-4735</cvename>
+      <cvename>CVE-2012-4884</cvename>
+      <url>http://blog.bestpractical.com/2012/10/security-vulnerabilities-in-rt.html</url>
+    </references>
+    <dates>
+      <discovery>2012-10-26</discovery>
+      <entry>2012-11-01</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2adc3e78-22d1-11e2-b9f0-d0df9acfd7e5">
     <topic>drupal7 -- multiple vulnerabilities</topic>
     <affects>

Modified: head/www/rt38/Makefile
==============================================================================
--- head/www/rt38/Makefile	Thu Nov  1 13:55:03 2012	(r306802)
+++ head/www/rt38/Makefile	Thu Nov  1 14:10:55 2012	(r306803)
@@ -8,7 +8,7 @@
 #   o install a sample into etc/apache22/Includes
 
 PORTNAME=	rt
-PORTVERSION=	3.8.14
+PORTVERSION=	3.8.15
 CATEGORIES=	www
 MASTER_SITES=	http://download.bestpractical.com/pub/rt/release/ \
 		ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/

Modified: head/www/rt38/distinfo
==============================================================================
--- head/www/rt38/distinfo	Thu Nov  1 13:55:03 2012	(r306802)
+++ head/www/rt38/distinfo	Thu Nov  1 14:10:55 2012	(r306803)
@@ -1,2 +1,2 @@
-SHA256 (rt-3.8.14.tar.gz) = 59c892a08746cf83fdfdf0ef4584d929983e22b5f5d17980b7541ac028933509
-SIZE (rt-3.8.14.tar.gz) = 5593322
+SHA256 (rt-3.8.15.tar.gz) = fca1283189bd670fde7a041e99e85aa4a58e0e302bb1f3c7ddab2f4997b5da55
+SIZE (rt-3.8.15.tar.gz) = 5650409

Modified: head/www/rt38/pkg-plist
==============================================================================
--- head/www/rt38/pkg-plist	Thu Nov  1 13:55:03 2012	(r306802)
+++ head/www/rt38/pkg-plist	Thu Nov  1 14:10:55 2012	(r306803)
@@ -463,6 +463,7 @@ share/rt38/html/Elements/HeaderJavascrip
 share/rt38/html/Elements/ListActions
 share/rt38/html/Elements/ListMenu
 share/rt38/html/Elements/Login
+share/rt38/html/Elements/LoginRedirectWarning
 share/rt38/html/Elements/Logo
 share/rt38/html/Elements/Logout
 share/rt38/html/Elements/MakeClicky

More information about the svn-ports-all mailing list