From nobody@FreeBSD.org  Wed Oct  9 18:58:12 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 14CC337B401
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  9 Oct 2002 18:58:12 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4322143E88
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  9 Oct 2002 18:58:11 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.6/8.12.6) with ESMTP id g9A1wA7R056553
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 9 Oct 2002 18:58:10 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.6/8.12.6/Submit) id g9A1wABx056552;
	Wed, 9 Oct 2002 18:58:10 -0700 (PDT)
Message-Id: <200210100158.g9A1wABx056552@www.freebsd.org>
Date: Wed, 9 Oct 2002 18:58:10 -0700 (PDT)
From: Jason Li <delphij@frontfree.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: BugZilla contains multiple security holes which must be corrected or denied
X-Send-Pr-Version: www-1.0

>Number:         43883
>Category:       ports
>Synopsis:       BugZilla contains multiple security holes which must be corrected or denied
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    phantom
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 09 19:00:13 PDT 2002
>Closed-Date:    Thu Jan 23 07:57:29 PST 2003
>Last-Modified:  Thu Jan 23 07:57:29 PST 2003
>Originator:     Jason Li
>Release:        FreeBSD 4.7-STABLE
>Organization:
Frontfree Technology Network
>Environment:
FreeBSD mail.frontfree.net 4.7-STABLE FreeBSD 4.7-STABLE #11: Thu Oct 10 02:32:54 CST 2002     delphij@mail.frontfree.net:/usr/obj/usr/src/sys/MAIL  i386
>Description:
As said in BugZilla's homepage,

All Bugzilla installations are advised to upgrade to the latest versions
of Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of 
varying importance have been fixed in both.  These vulnerabilities affect 
all previous 2.14 and 2.16 releases.

There're multiple security holes that must be solved by upgrading to the latest 2.16.1.
>How-To-Repeat:
This behavior is by design...
>Fix:
Do some changes in ports/devel/bugzilla. Considering the original port was 2.14.3, I think 2.14.4 would be better, so apply this patch on the port:

--- Makefile.orig       Thu Oct 10 09:44:18 2002
+++ Makefile    Thu Oct 10 09:56:56 2002
@@ -2,11 +2,11 @@
 # Date created:                                28 September 2001
 # Whom:                                        Alexey Zelkin <phantom@FreeBSD.org>
 #
-# $FreeBSD: ports/devel/bugzilla/Makefile,v 1.11 2002/08/18 15:33:46 phantom Exp $
+# $FreeBSD$
 #
 
 PORTNAME=      bugzilla
-PORTVERSION=   2.14.3
+PORTVERSION=   2.14.4
 CATEGORIES=    devel
 MASTER_SITES=  http://ftp.mozilla.org/pub/${MASTER_SITE_SUBDIR}/ \
                ${MASTER_SITE_MOZILLA}

--- distinfo.orig       Thu Oct 10 09:44:25 2002
+++ distinfo    Thu Oct 10 09:52:36 2002
@@ -1 +1 @@
-MD5 (bugzilla-2.14.3.tar.gz) = 17c80958f82be0027368390cd84e2a82
+MD5 (bugzilla-2.14.4.tar.gz) = 42461698e402b2225177f031bdfa7617
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports->phantom 
Responsible-Changed-By: ijliao 
Responsible-Changed-When: Wed Oct 9 19:44:28 PDT 2002 
Responsible-Changed-Why:  
over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=43883 
State-Changed-From-To: open->closed 
State-Changed-By: phantom 
State-Changed-When: Thu Jan 23 07:56:48 PST 2003 
State-Changed-Why:  
Problem was fixed 3 months ago.  Close PR. 



http://www.freebsd.org/cgi/query-pr.cgi?pr=43883 
>Unformatted:
