From nobody@FreeBSD.org  Tue Apr 20 14:27:23 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 416D4106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Apr 2010 14:27:23 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 311578FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Apr 2010 14:27:23 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o3KERNRO080396
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 20 Apr 2010 14:27:23 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o3KERMNc080395;
	Tue, 20 Apr 2010 14:27:22 GMT
	(envelope-from nobody)
Message-Id: <201004201427.o3KERMNc080395@www.freebsd.org>
Date: Tue, 20 Apr 2010 14:27:22 GMT
From: niels <niels@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [security] www/e107 XSS and code execution
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: wenheping@gmail.com

>Number:         145885
>Category:       ports
>Synopsis:       [security] www/e107 XSS and code execution
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    niels
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 20 14:30:05 UTC 2010
>Closed-Date:    Tue Apr 20 15:19:14 UTC 2010
>Last-Modified:  Tue Apr 20 21:10:01 UTC 2010
>Originator:     niels
>Release:        8.0-STABLE
>Organization:
>Environment:
>Description:

Two serious issues affect this port (which is at version 0.7.15). You can find the descriptions in the following advisories:

http://seclists.org/bugtraq/2010/Apr/156
http://seclists.org/bugtraq/2010/Apr/160
>How-To-Repeat:
N/A
>Fix:
Upgrade port to version 0.7.20 with the following patch:
http://people.freebsd.org/~niels/ports/diffs/e107-0.7.20.diff

Tinderbox test log:
http://freebsd.heinen.ws/tb/logs/8.0-STABLE/e107-0.7.20.log

NOTE: No functional tests have been performed!

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->niels 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Tue Apr 20 14:31:24 UTC 2010 
Responsible-Changed-Why:  
Submitter has GNATS access (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145885 
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Tue Apr 20 14:31:27 UTC 2010 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=145885 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: wenheping@gmail.com
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/145885: [security] www/e107 XSS and code execution
Date: Tue, 20 Apr 2010 14:31:26 UT

 Maintainer of www/e107,
 
 Please note that PR ports/145885 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/145885
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
State-Changed-From-To: feedback->closed 
State-Changed-By: niels 
State-Changed-When: Tue Apr 20 15:18:46 UTC 2010 
State-Changed-Why:  
Patch has been committed, port is upgraded to 0.7.20 


http://www.freebsd.org/cgi/query-pr.cgi?pr=145885 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/145885: commit references a PR
Date: Tue, 20 Apr 2010 15:18:26 +0000 (UTC)

 niels       2010-04-20 15:17:33 UTC
 
   FreeBSD ports repository
 
   Modified files:
     www/e107             Makefile distinfo 
   Log:
   Upgrade to 0.7.20 to fix two security issues
   
   PR:             ports/145885
   Reviewed by:    wen (maintainer)
   Approved by:    itetcu (mentor)
   Security:       http://seclists.org/bugtraq/2010/Apr/156
   Security:       http://seclists.org/bugtraq/2010/Apr/160
   
   Revision  Changes    Path
   1.3       +3 -3      ports/www/e107/Makefile
   1.2       +3 -3      ports/www/e107/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/145885: commit references a PR
Date: Tue, 20 Apr 2010 21:04:00 +0000 (UTC)

 niels       2010-04-20 21:03:51 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/vuxml       vuln.xml 
   Log:
   Documented the following vulnerabilities:
   - png: libpng decompression denial of service
   - e107: code execution and XSS vulnerabilities
   - pidgin: multiple remote denial of service vulnerabilities
   - fetchmail: denial of service vulnerability
   
   PR:             ports/145885
   PR:             ports/145857
   Approved by:    remko (secteam)
   Security:       CVE-2010-0996
   Security:       CVE-2010-0997
   Security:       CVE-2010-1167
   Security:       CVE-2010-0277
   Security:       CVE-2010-0420
   Security:       CVE-2010-0423
   Security:       CVE-2010-0205
   
   Revision  Changes    Path
   1.2143    +162 -1    ports/security/vuxml/vuln.xml
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
