svn commit: r307442 - in branches/RELENG_9_1_0: devel/bugzilla devel/bugzilla3 devel/bugzilla42 german/bugzilla german/bugzilla/files german/bugzilla3 german/bugzilla3/files german/bugzilla42 germa...

Thu Nov 15 08:50:07 UTC 2012

Author: beat
Date: Thu Nov 15 08:50:06 2012
New Revision: 307442
URL: http://svnweb.freebsd.org/changeset/ports/307442

Log:
  MFH 307425 by ohauer:
  - bugzilla security updates to version(s)
    3.6.11, 4.0.8, 4.2.4
  
  Summary
  =======
  
  The following security issues have been discovered in Bugzilla:
  
  * Confidential product and component names can be disclosed to
    unauthorized users if they are used to control the visibility of
    a custom field.
  
  * When calling the 'User.get' WebService method with a 'groups'
    argument, it is possible to check if the given group names exist
    or not.
  
  * Due to incorrectly filtered field values in tabular reports, it is
    possible to inject code which can lead to XSS.
  
  * When trying to mark an attachment in a bug you cannot see as
    obsolete, the description of the attachment is disclosed in the
    error message.
  
  * A vulnerability in swfstore.swf from YUI2 can lead to XSS.
  
  Feature safe:	yes
  
  Security:	CVE-2012-4199
  		https://bugzilla.mozilla.org/show_bug.cgi?id=731178
  
  		CVE-2012-4198
  		https://bugzilla.mozilla.org/show_bug.cgi?id=781850
  
  		CVE-2012-4189
  		https://bugzilla.mozilla.org/show_bug.cgi?id=790296
  
  		CVE-2012-4197
  		https://bugzilla.mozilla.org/show_bug.cgi?id=802204
  
  		CVE-2012-5475
  		https://bugzilla.mozilla.org/show_bug.cgi?id=808845
  		http://yuilibrary.com/support/20121030-vulnerability/
  
  MFH 307429 by ohauer:
  - adjust required PgSQL module for bugzilla42
  
  From Release Notes:
   PostgreSQL 9.2 requires DBD::Pg 2.19.3. (Bug 799721)
  
   No revision bump, p5-DBD-Pg-2.19.3
   a) not on per default
   b) in the tree since a view months
  
  - add deprecation message to bugzilla3
  
  From the announcement:
   Note that when Bugzilla 4.4 is released, the Bugzilla 3.6.x series
   will reach end of life. If you are using that series, we encourage
   you to upgrade to 4.2.4 now.
  
   http://groups.google.com/group/mozilla.support.bugzilla/browse_thread/thread/d8dcc99be0f89421
  
  MFH 307430 by ohauer:
  - fix german bugzilla templates (security fixes)

Added:
  branches/RELENG_9_1_0/german/bugzilla/files/
     - copied from r307430, head/german/bugzilla/files/
  branches/RELENG_9_1_0/german/bugzilla3/files/
     - copied from r307430, head/german/bugzilla3/files/
  branches/RELENG_9_1_0/german/bugzilla42/files/
     - copied from r307430, head/german/bugzilla42/files/
Modified:
  branches/RELENG_9_1_0/devel/bugzilla/Makefile
  branches/RELENG_9_1_0/devel/bugzilla/distinfo
  branches/RELENG_9_1_0/devel/bugzilla3/Makefile
  branches/RELENG_9_1_0/devel/bugzilla3/distinfo
  branches/RELENG_9_1_0/devel/bugzilla42/Makefile
  branches/RELENG_9_1_0/devel/bugzilla42/distinfo
  branches/RELENG_9_1_0/german/bugzilla/Makefile
  branches/RELENG_9_1_0/german/bugzilla3/Makefile
  branches/RELENG_9_1_0/german/bugzilla42/Makefile
  branches/RELENG_9_1_0/security/vuxml/vuln.xml
Directory Properties:
  branches/RELENG_9_1_0/   (props changed)

Modified: branches/RELENG_9_1_0/devel/bugzilla/Makefile
==============================================================================

--- branches/RELENG_9_1_0/devel/bugzilla/Makefile	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/devel/bugzilla/Makefile	Thu Nov 15 08:50:06 2012	(r307442)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	bugzilla
-PORTVERSION=	4.0.8
+PORTVERSION=	4.0.9
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived

Modified: branches/RELENG_9_1_0/devel/bugzilla/distinfo
==============================================================================
--- branches/RELENG_9_1_0/devel/bugzilla/distinfo	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/devel/bugzilla/distinfo	Thu Nov 15 08:50:06 2012	(r307442)
@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-4.0.8.tar.gz) = 0d44ab29863ffe6ef7637f078c31e52805f1b2ff0ff4f5c39a0d7daebe326b0c
-SIZE (bugzilla/bugzilla-4.0.8.tar.gz) = 2801982
+SHA256 (bugzilla/bugzilla-4.0.9.tar.gz) = af79b2f2b39f428e19122707d1334db5e447742ca6098f74803c35277117e394
+SIZE (bugzilla/bugzilla-4.0.9.tar.gz) = 2803607

Modified: branches/RELENG_9_1_0/devel/bugzilla3/Makefile
==============================================================================
--- branches/RELENG_9_1_0/devel/bugzilla3/Makefile	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/devel/bugzilla3/Makefile	Thu Nov 15 08:50:06 2012	(r307442)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	bugzilla
-PORTVERSION=	3.6.11
+PORTVERSION=	3.6.12
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived
@@ -28,6 +28,9 @@ USE_PERL5=	yes
 
 BINMODE=	700
 
+DEPRECATED=	Note that when Bugzilla 4.4 is released, the Bugzilla 3.6.x \
+		series will reach end of life
+
 SUB_FILES=	pkg-message
 
 DATA_DIRS_LIST=	images js skins

Modified: branches/RELENG_9_1_0/devel/bugzilla3/distinfo
==============================================================================
--- branches/RELENG_9_1_0/devel/bugzilla3/distinfo	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/devel/bugzilla3/distinfo	Thu Nov 15 08:50:06 2012	(r307442)
@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-3.6.11.tar.gz) = 01b99ec5b1e6efc9d0a0352ebe2ea6e8b8c7471a3f4dd80c3b99b5be575c4585
-SIZE (bugzilla/bugzilla-3.6.11.tar.gz) = 2509551
+SHA256 (bugzilla/bugzilla-3.6.12.tar.gz) = 1b3ebd08545b0093cd64a6f2e6c1310c7e85e691c83bd79c10960329f1bdca77
+SIZE (bugzilla/bugzilla-3.6.12.tar.gz) = 2509580

Modified: branches/RELENG_9_1_0/devel/bugzilla42/Makefile
==============================================================================
--- branches/RELENG_9_1_0/devel/bugzilla42/Makefile	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/devel/bugzilla42/Makefile	Thu Nov 15 08:50:06 2012	(r307442)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	bugzilla
-PORTVERSION=	4.2.3
+PORTVERSION=	4.2.4
 CATEGORIES=	devel
 MASTER_SITES=	${MASTER_SITE_MOZILLA}
 MASTER_SITE_SUBDIR=	webtools webtools/archived
@@ -60,7 +60,7 @@ RUN_DEPENDS+=	p5-DBD-mysql>=4.0001:${POR
 
 .if ${PORT_OPTIONS:MPGSQL}
 USE_PGSQL=	yes
-RUN_DEPENDS+=	p5-DBD-Pg>=1.45:${PORTSDIR}/databases/p5-DBD-Pg
+RUN_DEPENDS+=	p5-DBD-Pg>=2.19.3:${PORTSDIR}/databases/p5-DBD-Pg
 .endif
 
 .if ${PORT_OPTIONS:MSQLITE}

Modified: branches/RELENG_9_1_0/devel/bugzilla42/distinfo
==============================================================================
--- branches/RELENG_9_1_0/devel/bugzilla42/distinfo	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/devel/bugzilla42/distinfo	Thu Nov 15 08:50:06 2012	(r307442)
@@ -1,2 +1,2 @@
-SHA256 (bugzilla/bugzilla-4.2.3.tar.gz) = 712d645c5b2b081e42b2a364c26edf8a8a0048f463a426ac38cc482d31b11fb3
-SIZE (bugzilla/bugzilla-4.2.3.tar.gz) = 2977764
+SHA256 (bugzilla/bugzilla-4.2.4.tar.gz) = bede0cf893ad8ac99715614af0cf4624bc0e8552852f51290f546006105ce695
+SIZE (bugzilla/bugzilla-4.2.4.tar.gz) = 2976363

Modified: branches/RELENG_9_1_0/german/bugzilla/Makefile
==============================================================================
--- branches/RELENG_9_1_0/german/bugzilla/Makefile	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/german/bugzilla/Makefile	Thu Nov 15 08:50:06 2012	(r307442)
@@ -2,7 +2,7 @@
 
 PORTNAME=	bugzilla
 PORTVERSION=	4.0.8
-#PORTREVISION=	1
+PORTREVISION=	1
 CATEGORIES=	german
 MASTER_SITES=	SF
 MASTER_SITE_SUBDIR=bugzilla-de/${PORTVERSION:R}/${PORTVERSION}
@@ -21,9 +21,10 @@ NO_WRKSUBDIR=	yes
 
 LANGDIR=	${WWWDIR}/template/de
 
-#post-patch:
-#	${REINPLACE_CMD} -i '' -e 's/4.0.7/4.0.8/' \
-#		${WRKDIR}/de/default/global/gzversion.html.tmpl
+post-patch:
+	@${REINPLACE_CMD} -i '' -e 's/4.0.8/4.0.9/' \
+		${WRKDIR}/de/default/global/gzversion.html.tmpl
+	@${FIND} ${WRKDIR}/de/default/ -type f \( -name \*.orig -o -name \*.bak \) -delete
 
 do-install:
 	@-${MKDIR} ${LANGDIR}

Modified: branches/RELENG_9_1_0/german/bugzilla3/Makefile
==============================================================================
--- branches/RELENG_9_1_0/german/bugzilla3/Makefile	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/german/bugzilla3/Makefile	Thu Nov 15 08:50:06 2012	(r307442)
@@ -2,7 +2,7 @@
 
 PORTNAME=	bugzilla
 PORTVERSION=	3.6.11
-#PORTREVISION=	1
+PORTREVISION=	1
 CATEGORIES=	german
 MASTER_SITES=	SF
 MASTER_SITE_SUBDIR=bugzilla-de/${PORTVERSION:R}/${PORTVERSION}
@@ -21,9 +21,10 @@ NO_WRKSUBDIR=	yes
 
 LANGDIR=	${WWWDIR}/template/de
 
-#post-patch:
-#	${REINPLACE_CMD} -i '' -e 's/3.6.10/3.6.11/' \
-#		${WRKDIR}/de/default/global/gzversion.html.tmpl
+post-patch:
+	@${REINPLACE_CMD} -i '' -e 's/3.6.11/3.6.12/' \
+		${WRKDIR}/de/default/global/gzversion.html.tmpl
+	@${FIND} ${WRKDIR}/de/default/ -type f \( -name \*.orig -o -name \*.bak \) -delete
 
 do-install:
 	@-${MKDIR} ${LANGDIR}

Modified: branches/RELENG_9_1_0/german/bugzilla42/Makefile
==============================================================================
--- branches/RELENG_9_1_0/german/bugzilla42/Makefile	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/german/bugzilla42/Makefile	Thu Nov 15 08:50:06 2012	(r307442)
@@ -2,7 +2,7 @@
 
 PORTNAME=	bugzilla
 PORTVERSION=	4.2.3
-#PORTREVISION=	1
+PORTREVISION=	1
 CATEGORIES=	german
 MASTER_SITES=	SF
 MASTER_SITE_SUBDIR=bugzilla-de/${PORTVERSION:R}/${PORTVERSION}
@@ -21,10 +21,10 @@ NO_WRKSUBDIR=	yes
 
 LANGDIR=	${WWWDIR}/template/de
 
-#post-patch:
-#	@${REINPLACE_CMD} -i '' -e 's/4.2.2/4.2.3/' \
-#		${WRKDIR}/de/default/global/gzversion.html.tmpl
-#	@${FIND} ${WRKDIR} -type f -name \*.orig -delete
+post-patch:
+	@${REINPLACE_CMD} -i '' -e 's/4.2.3/4.2.4/' \
+		${WRKDIR}/de/default/global/gzversion.html.tmpl
+	@${FIND} ${WRKDIR}/de/default/ -type f \( -name \*.orig -o -name \*.bak \) -delete
 
 do-install:
 	@-${MKDIR} ${LANGDIR}

Modified: branches/RELENG_9_1_0/security/vuxml/vuln.xml
==============================================================================
--- branches/RELENG_9_1_0/security/vuxml/vuln.xml	Thu Nov 15 08:28:11 2012	(r307441)
+++ branches/RELENG_9_1_0/security/vuxml/vuln.xml	Thu Nov 15 08:50:06 2012	(r307442)
@@ -51,6 +51,63 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="2b841f88-2e8d-11e2-ad21-20cf30e32f6d">
+    <topic>bugzilla -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>bugzilla</name>
+	<range><ge>3.6.0</ge><lt>3.6.12</lt></range>
+	<range><ge>4.0.0</ge><lt>4.0.9</lt></range>
+	<range><ge>4.2.0</ge><lt>4.2.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>A Bugzilla Security Advisory reports:</h1>
+	<blockquote cite="http://www.bugzilla.org/security/3.6.11/">
+	  <p>The following security issues have been discovered in
+	     Bugzilla:</p>
+	  <h1>Information Leak</h1>
+	  <p>If the visibility of a custom field is controlled by a product
+	    or a component of a product you cannot see, their names are
+	    disclosed in the JavaScript code generated for this custom field
+	    despite they should remain confidential.</p>
+	  <p>Calling the User.get method with a 'groups' argument leaks the
+	    existence of the groups depending on whether an error is thrown
+	    or not. This method now also throws an error if the user calling
+	    this method does not belong to these groups (independently of
+	    whether the groups exist or not).</p>
+	  <p>Trying to mark an attachment in a bug you cannot see as obsolete
+	    discloses its description in the error message. The description
+	    of the attachment is now removed from the error message.</p>
+	  <h1>Cross-Site Scripting</h1>
+	  <p>Due to incorrectly filtered field values in tabular reports,
+	    it is possible to inject code leading to XSS.</p>
+	  <p>A vulnerability in swfstore.swf from YUI2 allows JavaScript
+	    injection exploits to be created against domains that host this
+	    affected YUI .swf file.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2012-4199</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=731178</url>
+      <cvename>CVE-2012-4198</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=781850</url>
+      <cvename>CVE-2012-4197</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=802204</url>
+      <cvename>CVE-2012-4189</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=790296</url>
+      <cvename>CVE-2012-5475</cvename>
+      <url>https://bugzilla.mozilla.org/show_bug.cgi?id=808845</url>
+      <url>http://yuilibrary.com/support/20121030-vulnerability/</url>
+    </references>
+    <dates>
+      <discovery>2012-11-13</discovery>
+      <entry>2012-11-14</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="79818ef9-2d10-11e2-9160-00262d5ed8ee">
     <topic>typo3 -- Multiple vulnerabilities in TYPO3 Core</topic>
     <affects>
