From nobody@FreeBSD.org  Sun Aug  7 07:24:26 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 489EC106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  7 Aug 2011 07:24:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 386D18FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Sun,  7 Aug 2011 07:24:26 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p777OPRx088122
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 7 Aug 2011 07:24:25 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p777OPPI088121;
	Sun, 7 Aug 2011 07:24:25 GMT
	(envelope-from nobody)
Message-Id: <201108070724.p777OPPI088121@red.freebsd.org>
Date: Sun, 7 Aug 2011 07:24:25 GMT
From: Peter Vereshagin <peter@vereshagin.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Security Advisory for Bugzilla Versions Prior to 3.6.6, 4.0.2
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         159576
>Category:       ports
>Synopsis:       devel/bugzilla: Security Advisory for Bugzilla Versions Prior to 3.6.6, 4.0.2
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    skv
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 07 07:30:08 UTC 2011
>Closed-Date:    Sat Aug 13 18:25:39 UTC 2011
>Last-Modified:  Sat Aug 13 18:30:11 UTC 2011
>Originator:     Peter Vereshagin
>Release:        7.4-stable as of 2011
>Organization:
Private
>Environment:
FreeBSD teh.ost 7.4-STABLE FreeBSD 7.4-STABLE #10: Mon May  2 16:12:55 MSD 2011     usr@teh.ost:/CONF  i386

>Description:
The following impacts the ports devel/bugzilla and devel/bugzilla3 at least:

* Internet Explorer 8 and older, and Safari before 5.0.6 do content
  sniffing when viewing a patch in "Raw Unified" mode, which could
  trigger a cross-site scripting attack due to the execution of
  malicious code in the attachment.

* Attachment descriptions with a newline in them could lead to the
  injection of crafted headers in email notifications sent to the
  requestee or the requester when editing an attachment flag.

* If an attacker has access to a user's session, he can modify that
  user's email address without that user being notified of the change.

===

References:  https://bugzilla.mozilla.org/show_bug.cgi?id=637981
CVE Number:  CVE-2011-2379

Class:       Information Leak
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:

From: Peter Vereshagin <peter@vereshagin.org>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Cc:  
Subject: Re: ports/159576: Security Advisory for Bugzilla Versions Prior to
 3.6.6, 4.0.2
Date: Sun, 7 Aug 2011 15:51:01 +0400

 --t0UkRYy7tHLRMCai
 Content-Type: text/plain; charset=koi8-r
 Content-Disposition: inline
 
 You can't take no for an answer, FreeBSD-gnats-submit!
 
 Attaching a patch here for devel/bugzilla it works for me that way.
 devel/bugzilla3 still needs a patch.
 
 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB  12F8 0CE1 4AAC A0E2 6627)
 --
 http://vereshagin.org
 
 --t0UkRYy7tHLRMCai
 Content-Type: text/x-diff; charset=koi8-r
 Content-Disposition: attachment; filename="devel_bugzilla-4.0.2-20110807-00.patch"
 
 diff -u bugzilla.orig/Makefile bugzilla/Makefile
 --- bugzilla.orig/Makefile	2011-07-19 01:56:01.000000000 +0400
 +++ bugzilla/Makefile	2011-08-07 11:36:17.000000000 +0400
 @@ -6,8 +6,7 @@
  #
  
  PORTNAME=	bugzilla
 -PORTVERSION=	4.0.1
 -PORTREVISION=	1
 +PORTVERSION=	4.0.2
  CATEGORIES=	devel
  MASTER_SITES=	${MASTER_SITE_MOZILLA}
  MASTER_SITE_SUBDIR=	webtools webtools/archived
 diff -u bugzilla.orig/distinfo bugzilla/distinfo
 --- bugzilla.orig/distinfo	2011-07-19 01:56:01.000000000 +0400
 +++ bugzilla/distinfo	2011-08-07 11:49:19.000000000 +0400
 @@ -1,2 +1,2 @@
 -SHA256 (bugzilla/bugzilla-4.0.1.tar.gz) = 7be2f05bb187c4e15caef2a98497e12c87a69ad5aeaf654b2197ae5b48e93209
 -SIZE (bugzilla/bugzilla-4.0.1.tar.gz) = 2985506
 +SHA256 (bugzilla/bugzilla-4.0.2.tar.gz) = 9513d53f75aaf7dc6efc4b145c09d95d8148b976cd71a2cda3a1093a2183bd77
 +SIZE (bugzilla/bugzilla-4.0.2.tar.gz) = 2987667
 Common subdirectories: bugzilla.orig/files and bugzilla/files
 
 --t0UkRYy7tHLRMCai--
Responsible-Changed-From-To: freebsd-ports-bugs->skv 
Responsible-Changed-By: arved 
Responsible-Changed-When: Sun Aug 7 13:09:52 UTC 2011 
Responsible-Changed-Why:  
over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=159576 
State-Changed-From-To: open->closed 
State-Changed-By: skv 
State-Changed-When: Sat Aug 13 18:25:31 UTC 2011 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=159576 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/159576: commit references a PR
Date: Sat, 13 Aug 2011 18:24:30 +0000 (UTC)

 skv         2011-08-13 18:24:21 UTC
 
   FreeBSD ports repository
 
   Modified files:
     devel/bugzilla       Makefile distinfo 
   Log:
   Update to 4.0.2
   
   Changes:        http://www.bugzilla.org/releases/4.0.2/release-notes.html
   Security:       http://www.vuxml.org/freebsd/dc8741b9-c5d5-11e0-8a8e-00151735203a.html
   PR:             ports/159576
   Submitted by:   Peter Vereshagin <peter@vereshagin.org>
   
   Revision  Changes    Path
   1.87      +3 -4      ports/devel/bugzilla/Makefile
   1.46      +2 -2      ports/devel/bugzilla/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
