From nobody@FreeBSD.org  Thu Sep 27 14:11:03 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 50B66106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Sep 2012 14:11:03 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 314268FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Sep 2012 14:11:03 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q8REB3w9008927
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Sep 2012 14:11:03 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q8REB2cV008926;
	Thu, 27 Sep 2012 14:11:02 GMT
	(envelope-from nobody)
Message-Id: <201209271411.q8REB2cV008926@red.freebsd.org>
Date: Thu, 27 Sep 2012 14:11:02 GMT
From: Ruslan Mahmatkhanov <rm@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: www/openx:update to 2.8.10
X-Send-Pr-Version: www-3.1
X-GNATS-Notify: meritus@innervision.pl

>Number:         172114
>Category:       ports
>Synopsis:       www/openx:update to 2.8.10
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    rm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 27 14:20:02 UTC 2012
>Closed-Date:    Wed Oct 03 12:37:18 UTC 2012
>Last-Modified:  Wed Oct  3 12:40:16 UTC 2012
>Originator:     Ruslan Mahmatkhanov
>Release:        10.0-CURRENT
>Organization:
>Environment:
10.0-CURRENT i386
>Description:
- update to 2.8.10

this release fixes sql injection vulnerability. 
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: security/vuxml/vuln.xml
===================================================================
--- security/vuxml/vuln.xml	(revision 304960)
+++ security/vuxml/vuln.xml	(working copy)
@@ -51,6 +51,42 @@
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="dee44ba9-08ab-11e2-a044-d0df9acfd7e5">
+    <topic>OpenX -- SQL injection vulnerability</topic>
+    <affects>
+      <package>
+        <name>openx</name>
+        <range><le>2.8.10</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>Secunia reports:</p>
+        <blockquote cite="http://secunia.com/advisories/50598/">
+          <p>A vulnerability has been discovered in OpenX, which can be
+             exploited by malicious people to conduct SQL injection 
+             attacks.</p>
+          <p>Input passed via the "xajaxargs" parameter to 
+             www/admin/updates-history.php (when "xajax" is set to 
+             "expandOSURow") is not properly sanitised in e.g. the 
+             "queryAuditBackupTablesByUpgradeId()" function 
+             (lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL
+             queries. This can be exploited to manipulate SQL queries by 
+             injecting arbitrary SQL code.</p>
+          <p>The vulnerability is confirmed in version 2.8.9. Prior versions
+             may also be affected.</p>
+        </blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://secunia.com/advisories/50598/</url>
+    </references>
+    <dates>
+      <discovery>2012-09-14</discovery>
+      <entry>2012-09-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5bae2ab4-0820-11e2-be5f-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>
Index: www/openx/Makefile
===================================================================
--- www/openx/Makefile	(revision 304960)
+++ www/openx/Makefile	(working copy)
@@ -1,12 +1,8 @@
-# New ports collection makefile for:	openx
-# Date created:		13 March 2008
-# Whom:			Piotr Rybicki <meritus@innervision.pl>
-#
+# Created by: Piotr Rybicki <meritus@innervision.pl>
 # $FreeBSD$
-#
 
 PORTNAME=	openx
-PORTVERSION=	2.8.9
+PORTVERSION=	2.8.10
 CATEGORIES=	www
 MASTER_SITES=	http://download.openx.org/
 
Index: www/openx/distinfo
===================================================================
--- www/openx/distinfo	(revision 304960)
+++ www/openx/distinfo	(working copy)
@@ -1,2 +1,2 @@
-SHA256 (openx-2.8.9.tar.bz2) = b6c9eece311cd33c502cdf3b8b14027dcf72672318cff1adc12a81dedf5352db
-SIZE (openx-2.8.9.tar.bz2) = 9616171
+SHA256 (openx-2.8.10.tar.bz2) = 91418dcd3896e19532c4144e5f4c56bcfa49164e3304fa7240f2a1cc8b90bfc2
+SIZE (openx-2.8.10.tar.bz2) = 9787343


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: edwin 
State-Changed-When: Thu Sep 27 14:20:14 UTC 2012 
State-Changed-Why:  
Awaiting maintainers feedback (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172114 

From: Edwin Groothuis <edwin@FreeBSD.org>
To: meritus@innervision.pl
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/172114: www/openx:update to 2.8.10
Date: Thu, 27 Sep 2012 14:20:10 UT

 Maintainer of www/openx,
 
 Please note that PR ports/172114 has just been submitted.
 
 If it contains a patch for an upgrade, an enhancement or a bug fix
 you agree on, reply to this email stating that you approve the patch
 and a committer will take care of it.
 
 The full text of the PR can be found at:
     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/172114
 
 -- 
 Edwin Groothuis via the GNATS Auto Assign Tool
 edwin@FreeBSD.org
Responsible-Changed-From-To: freebsd-ports-bugs->rm 
Responsible-Changed-By: rm 
Responsible-Changed-When: Thu Sep 27 15:05:41 UTC 2012 
Responsible-Changed-Why:  
My PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172114 
State-Changed-From-To: feedback->closed 
State-Changed-By: rm 
State-Changed-When: Wed Oct 3 12:37:16 UTC 2012 
State-Changed-Why:  
Committed, thank you! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172114 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/172114: commit references a PR
Date: Wed,  3 Oct 2012 12:33:50 +0000 (UTC)

 Author: rm
 Date: Wed Oct  3 12:33:38 2012
 New Revision: 305200
 URL: http://svn.freebsd.org/changeset/ports/305200
 
 Log:
   - update to 2.8.10
   - add vuxml entry
   
   This release fixes SQL injection vulnerability.
   
   PR:		172114
   Submitted by:	rm (myself)
   Approved by:	ports-secteam (eadler)
   Security:	dee44ba9-08ab-11e2-a044-d0df9acfd7e5
 
 Modified:
   head/security/vuxml/vuln.xml
   head/www/openx/Makefile
   head/www/openx/distinfo
 
 Modified: head/security/vuxml/vuln.xml
 ==============================================================================
 --- head/security/vuxml/vuln.xml	Wed Oct  3 12:24:20 2012	(r305199)
 +++ head/security/vuxml/vuln.xml	Wed Oct  3 12:33:38 2012	(r305200)
 @@ -51,6 +51,42 @@ Note:  Please add new entries to the beg
  
  -->
  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
 +  <vuln vid="dee44ba9-08ab-11e2-a044-d0df9acfd7e5">
 +    <topic>OpenX -- SQL injection vulnerability</topic>
 +    <affects>
 +      <package>
 +        <name>openx</name>
 +        <range><le>2.8.10</le></range>
 +      </package>
 +    </affects>
 +    <description>
 +      <body xmlns="http://www.w3.org/1999/xhtml">
 +        <p>Secunia reports:</p>
 +        <blockquote cite="http://secunia.com/advisories/50598/">
 +          <p>A vulnerability has been discovered in OpenX, which can be
 +             exploited by malicious people to conduct SQL injection 
 +             attacks.</p>
 +          <p>Input passed via the "xajaxargs" parameter to 
 +             www/admin/updates-history.php (when "xajax" is set to 
 +             "expandOSURow") is not properly sanitised in e.g. the 
 +             "queryAuditBackupTablesByUpgradeId()" function 
 +             (lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL
 +             queries. This can be exploited to manipulate SQL queries by 
 +             injecting arbitrary SQL code.</p>
 +          <p>The vulnerability is confirmed in version 2.8.9. Prior versions
 +             may also be affected.</p>
 +        </blockquote>
 +      </body>
 +    </description>
 +    <references>
 +      <url>http://secunia.com/advisories/50598/</url>
 +    </references>
 +    <dates>
 +      <discovery>2012-09-14</discovery>
 +      <entry>2012-09-27</entry>
 +    </dates>
 +  </vuln>
 +
    <vuln vid="5bae2ab4-0820-11e2-be5f-00262d5ed8ee">
      <topic>chromium -- multiple vulnerabilities</topic>
      <affects>
 
 Modified: head/www/openx/Makefile
 ==============================================================================
 --- head/www/openx/Makefile	Wed Oct  3 12:24:20 2012	(r305199)
 +++ head/www/openx/Makefile	Wed Oct  3 12:33:38 2012	(r305200)
 @@ -1,12 +1,8 @@
 -# New ports collection makefile for:	openx
 -# Date created:		13 March 2008
 -# Whom:			Piotr Rybicki <meritus@innervision.pl>
 -#
 +# Created by: Piotr Rybicki <meritus@innervision.pl>
  # $FreeBSD$
 -#
  
  PORTNAME=	openx
 -PORTVERSION=	2.8.9
 +PORTVERSION=	2.8.10
  CATEGORIES=	www
  MASTER_SITES=	http://download.openx.org/
  
 
 Modified: head/www/openx/distinfo
 ==============================================================================
 --- head/www/openx/distinfo	Wed Oct  3 12:24:20 2012	(r305199)
 +++ head/www/openx/distinfo	Wed Oct  3 12:33:38 2012	(r305200)
 @@ -1,2 +1,2 @@
 -SHA256 (openx-2.8.9.tar.bz2) = b6c9eece311cd33c502cdf3b8b14027dcf72672318cff1adc12a81dedf5352db
 -SIZE (openx-2.8.9.tar.bz2) = 9616171
 +SHA256 (openx-2.8.10.tar.bz2) = 91418dcd3896e19532c4144e5f4c56bcfa49164e3304fa7240f2a1cc8b90bfc2
 +SIZE (openx-2.8.10.tar.bz2) = 9787343
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
>Unformatted:
