Date: Fri, 25 Jun 2010 23:43:10 +0200 (CEST) From: olli hauer <ohauer@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ohauer@gmx.de Subject: ports/148149: [patch] port devel/bugzilla update to 3.6.1 (security fix) Message-ID: <20100625214310.C521C201DE@u18-124.dsl.vianetworks.de> Resent-Message-ID: <201006252150.o5PLo1LG009293@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 148149 >Category: ports >Synopsis: [patch] port devel/bugzilla update to 3.6.1 (security fix) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Jun 25 21:50:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: olli hauer <ohauer@gmx.de> >Release: >Organization: >Environment: >Description: Update bugzilla to 3.6.1 Additional fixes in the port (my PR 145810 from 18 Apr 2010) ================================================================== Since bugzilla 3.x the webserver group and the default database are defined in 'Bugzilla/Install/Localconfig.pm' (not in checksetup.pl) The follwing patch correct this, additional if Pg is the default and mysql is not selected as OPTIONS the default DB will be changed to Pg. Release Notes for 3.6.1 ================================================================== This release fixes two security issues. See the Security Advisory for details. In addition, the following important fixes/changes have been made in this release: * Using the "Change Columns" page would sometimes result in a plain-text page instead of HTML. (Bug 376044) * Extensions that have only templates and no code are now working. (Bug 562551) * install-module.pl has been fixed so that it installs modules properly on both new and old versions of Perl. (Bug 560318 and Bug 560330) * It is now possible to upgrade from 3.4 to 3.6 when using Oracle. (Bug 561379) * Editing a field value's name (using the Field Values admin control panel) wasn't working if the value was set as the default for that field. (Bug 561296) * If you had the noresolveonopenblockers parameter set, bugs couldn't be edited at all if they were marked FIXED and had any open blockers. (The parameter is only supposed to prevent changing bugs to FIXED, not modifying already-FIXED bugs.) (Bug 565314) * Some minor issues with Perl 5.12 were fixed (mostly warnings that Perl 5.12 was throwing). Bugzilla now supports Perl 5.12. Vulnerability Details http://www.bugzilla.org/security/3.2.6/ ================================================================== Class: Remote Information Disclosure Versions: 2.17.1 to 3.2.6, 3.3.1 to 3.4.6, 3.5.1 to 3.6, 3.7 Fixed In: 3.2.7, 3.4.7, 3.6.1, 3.7.1 Description: Normally, information about time-tracking (estimated hours, actual hours, hours worked, and deadlines) is restricted to users in the "time-tracking group". However, any user was able, by crafting their own search URL, to search for bugs based using those fields as criteria, thus possibly exposing sensitive time-tracking information by a user seeing that a bug matched their search. References: https://bugzilla.mozilla.org/show_bug.cgi?id=309952 CVE Number: CVE-2010-1204 Class: Local Information Disclosure Versions: 3.5.1 to 3.6, 3.7 Fixed In: 3.6.1, 3.7.1 Description: If $use_suexec was set to "1" in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl. This allowed any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection. References: https://bugzilla.mozilla.org/show_bug.cgi?id=561797 CVE Number: CVE-2010-0180 Vulnerability Solutions ======================= The fix for these issues are included in the 3.2.7, 3.4.7, 3.6.1, and 3.7.1 releases. Upgrading to a release with the relevant fix will protect your installation from possible exploits of this issue. >How-To-Repeat: >Fix: --- patch_bugzilla-3.6.1.txt begins here --- Index: bugzilla/distinfo =================================================================== --- bugzilla/distinfo (revision 1) +++ bugzilla/distinfo (working copy) @@ -1,3 +1,3 @@ -MD5 (bugzilla-3.6.tar.gz) = 9c0210131ca9915526f63c84030463e1 -SHA256 (bugzilla-3.6.tar.gz) = 9ea0c093113212db3e45963f19a1000b7204adae23982ec67b36c673a1d50a6e -SIZE (bugzilla-3.6.tar.gz) = 2629396 +MD5 (bugzilla-3.6.1.tar.gz) = 74045f64fa7698f61ef24ef44b2e2074 +SHA256 (bugzilla-3.6.1.tar.gz) = a8e343558628ba020bbb92844f665650a90ade080b248e757a34aa958ca16573 +SIZE (bugzilla-3.6.1.tar.gz) = 2631968 Index: bugzilla/Makefile =================================================================== --- bugzilla/Makefile (revision 1) +++ bugzilla/Makefile (working copy) @@ -6,7 +6,7 @@ # PORTNAME= bugzilla -PORTVERSION= 3.6 +PORTVERSION= 3.6.1 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived @@ -163,8 +163,14 @@ .endif post-patch: - @${PERL} -pi -e "s!(?<=webservergroup_default = ')apache!www!" \ - ${WRKSRC}/checksetup.pl + @${PERL} -pi -e 's/(default => ON_WINDOWS.+)apache/$$1www/' \ + ${WRKSRC}/Bugzilla/Install/Localconfig.pm +.if defined(WITH_PGSQL) && !defined(WITH_MYSQL) + @${PERL} -pi -e 's/(default =>.+)mysql/$$1Pg/' \ + ${WRKSRC}/Bugzilla/Install/Localconfig.pm + @${PERL} -pi -e 's/(Default is )mysql/$$1Pg/' \ + ${WRKSRC}/Bugzilla/Install/Localconfig.pm +.endif @${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \ -or -name ".bzr*" -or -name "README.docs" \) | ${XARGS} ${RM} -rf ${FIND} ${WRKSRC} -type f -exec ${REINPLACE_CMD} -i '' \ --- patch_bugzilla-3.6.1.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100625214310.C521C201DE>