From owner-svn-ports-head@FreeBSD.ORG  Thu May 23 07:24:42 2013
Return-Path: <owner-svn-ports-head@FreeBSD.ORG>
Delivered-To: svn-ports-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 07B90F12;
 Thu, 23 May 2013 07:24:42 +0000 (UTC)
 (envelope-from matthew@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id DD42E9D3;
 Thu, 23 May 2013 07:24:41 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4N7Ofci086600;
 Thu, 23 May 2013 07:24:41 GMT (envelope-from matthew@svn.freebsd.org)
Received: (from matthew@localhost)
 by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4N7Oeue086592;
 Thu, 23 May 2013 07:24:40 GMT (envelope-from matthew@svn.freebsd.org)
Message-Id: <201305230724.r4N7Oeue086592@svn.freebsd.org>
From: Matthew Seaman <matthew@FreeBSD.org>
Date: Thu, 23 May 2013 07:24:40 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r318848 - in head: security/vuxml www/rt38 www/rt40
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 07:24:42 -0000

Author: matthew
Date: Thu May 23 07:24:40 2013
New Revision: 318848
URL: http://svnweb.freebsd.org/changeset/ports/318848

Log:
  Security Updates
  
     - www/rt40 to 4.0.13
     - www/rt38 to 3.8.17 [1]
  
  This is a security fix addressing a number of CVEs:
  
      CVE-2012-4733
      CVE-2013-3368
      CVE-2013-3369
      CVE-2013-3370
      CVE-2013-3371
      CVE-2013-3372
      CVE-2013-3373
      CVE-2013-3374
  
  Users will need to update their database schemas as described in
  pkg-message
  
  Approved by:	flo [1]
  Security:	3a429192-c36a-11e2-97a9-6805ca0b3d42

Modified:
  head/security/vuxml/vuln.xml
  head/www/rt38/Makefile
  head/www/rt38/distinfo
  head/www/rt40/Makefile
  head/www/rt40/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu May 23 07:11:47 2013	(r318847)
+++ head/security/vuxml/vuln.xml	Thu May 23 07:24:40 2013	(r318848)
@@ -51,6 +51,109 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="3a429192-c36a-11e2-97a9-6805ca0b3d42">
+    <topic>RT -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>rt38</name>
+	<range><ge>3.8</ge><lt>3.8.17</lt></range>
+      </package>
+      <package>
+	<name>rt40</name>
+	<range><ge>4.0</ge><lt>4.0.13</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Thomas Sibley reports:</p>
+	<blockquote cite="http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html">
+	  <p>We discovered a number of security vulnerabilities which
+	  affect both RT 3.8.x and RT 4.0.x.  We are releasing RT
+	  versions 3.8.17 and 4.0.13 to resolve these vulnerabilities,
+	  as well as patches which apply atop all released versions of
+	  3.8 and 4.0.</p>
+	  <p>The vulnerabilities addressed by 3.8.17, 4.0.13, and the
+	  below patches include the following:</p>
+	  <p>RT 4.0.0 and above are vulnerable to a limited privilege
+	  escalation leading to unauthorized modification of ticket
+	  data.  The DeleteTicket right and any custom lifecycle
+	  transition rights may be bypassed by any user with
+	  ModifyTicket.  This vulnerability is assigned
+	  CVE-2012-4733.</p>
+	  <p>RT 3.8.0 and above include a version of bin/rt that uses
+	  semi-predictable names when creating tempfiles.  This could
+	  possibly be exploited by a malicious user to overwrite files
+	  with permissions of the user running bin/rt.  This
+	  vulnerability is assigned CVE-2013-3368.</p>
+	  <p>RT 3.8.0 and above allow calling of arbitrary Mason
+	  components (without control of arguments) for users who can
+	  see administration pages.  This could be used by a malicious
+	  user to run private components which may have negative
+	  side-effects.  This vulnerability is assigned
+	  CVE-2013-3369.</p>
+	  <p>RT 3.8.0 and above allow direct requests to private
+	  callback components.  Though no callback components ship
+	  with RT, this could be used to exploit an extension or local
+	  callback which uses the arguments passed to it insecurely.
+	  This vulnerability is assigned CVE-2013-3370.</p>
+	  <p>RT 3.8.3 and above are vulnerable to cross-site scripting
+	  (XSS) via attachment filenames.  The vector is difficult to
+	  exploit due to parsing requirements.  Additionally, RT 4.0.0
+	  and above are vulnerable to XSS via maliciously-crafted
+	  "URLs" in ticket content when RT's "MakeClicky" feature is
+	  configured.  Although not believed to be exploitable in the
+	  stock configuration, a patch is also included for RTIR 2.6.x
+	  to add bulletproofing.  These vulnerabilities are assigned
+	  CVE-2013-3371.</p>
+	  <p>RT 3.8.0 and above are vulnerable to an HTTP header
+	  injection limited to the value of the Content-Disposition
+	  header.  Injection of other arbitrary response headers is
+	  not possible.  Some (especially older) browsers may allow
+	  multiple Content-Disposition values which could lead to XSS.
+	  Newer browsers contain security measures to prevent this.
+	  Thank you to Dominic Hargreaves for reporting this
+	  vulnerability.  This vulnerability is assigned
+	  CVE-2013-3372.</p>
+	  <p>RT 3.8.0 and above are vulnerable to a MIME header
+	  injection in outgoing email generated by RT.  The vectors
+	  via RT's stock templates are resolved by this patchset, but
+	  any custom email templates should be updated to ensure that
+	  values interpolated into mail headers do not contain
+	  newlines.  This vulnerability is assigned CVE-2013-3373.</p>
+	  <p>RT 3.8.0 and above are vulnerable to limited session
+	  re-use when using the file-based session store,
+	  Apache::Session::File.  RT's default session configuration
+	  only uses Apache::Session::File for Oracle.  RT instances
+	  using Oracle may be locally configured to use the
+	  database-backed Apache::Session::Oracle, in which case
+	  sessions are never re-used.  The extent of session re-use is
+	  limited to information leaks of certain user preferences and
+	  caches, such as queue names available for ticket creation.
+	  Thank you to Jenny Martin for reporting the problem that
+	  lead to discovery of this vulnerability.  This vulnerability
+	  is assigned CVE-2013-3374.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+	<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000226.html</url>
+	<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000227.html</url>
+	<url>http://lists.bestpractical.com/pipermail/rt-announce/2013-May/000228.html</url>
+	<cvename>CVE-2012-4733</cvename>
+	<cvename>CVE-2013-3368</cvename>
+	<cvename>CVE-2013-3369</cvename>
+	<cvename>CVE-2013-3370</cvename>
+	<cvename>CVE-2013-3371</cvename>
+	<cvename>CVE-2013-3372</cvename>
+	<cvename>CVE-2013-3373</cvename>
+	<cvename>CVE-2013-3374</cvename>
+    </references>
+    <dates>
+      <discovery>2013-05-22</discovery>
+      <entry>2013-05-23</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="358133b5-c2b9-11e2-a738-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

Modified: head/www/rt38/Makefile
==============================================================================
--- head/www/rt38/Makefile	Thu May 23 07:11:47 2013	(r318847)
+++ head/www/rt38/Makefile	Thu May 23 07:24:40 2013	(r318848)
@@ -8,7 +8,7 @@
 #   o install a sample into etc/apache22/Includes
 
 PORTNAME=	rt
-PORTVERSION=	3.8.16
+PORTVERSION=	3.8.17
 CATEGORIES=	www
 MASTER_SITES=	http://download.bestpractical.com/pub/rt/release/ \
 		ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/

Modified: head/www/rt38/distinfo
==============================================================================
--- head/www/rt38/distinfo	Thu May 23 07:11:47 2013	(r318847)
+++ head/www/rt38/distinfo	Thu May 23 07:24:40 2013	(r318848)
@@ -1,2 +1,2 @@
-SHA256 (rt-3.8.16.tar.gz) = 8a0bdb9fc2938ffe21111127d5777ef5d3107195c2597cb35c5c0a44dc4ca045
-SIZE (rt-3.8.16.tar.gz) = 5650272
+SHA256 (rt-3.8.17.tar.gz) = d9cd8b239712f25d38619791ab9f8d60c57f001cc0df2caeb2ccb7ad9f8a4acd
+SIZE (rt-3.8.17.tar.gz) = 5728368

Modified: head/www/rt40/Makefile
==============================================================================
--- head/www/rt40/Makefile	Thu May 23 07:11:47 2013	(r318847)
+++ head/www/rt40/Makefile	Thu May 23 07:24:40 2013	(r318848)
@@ -1,7 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	rt
-PORTVERSION=	4.0.12
+PORTVERSION=	4.0.13
 CATEGORIES=	www
 MASTER_SITES=	http://download.bestpractical.com/pub/rt/release/ \
 		ftp://ftp.eu.uu.net/pub/unix/ticketing/rt/release/

Modified: head/www/rt40/distinfo
==============================================================================
--- head/www/rt40/distinfo	Thu May 23 07:11:47 2013	(r318847)
+++ head/www/rt40/distinfo	Thu May 23 07:24:40 2013	(r318848)
@@ -1,2 +1,2 @@
-SHA256 (rt-4.0.12.tar.gz) = ce246da3c5f03144d3070a2419ccc0756496501f143f343b52b96cb2adec09da
-SIZE (rt-4.0.12.tar.gz) = 6895082
+SHA256 (rt-4.0.13.tar.gz) = b8c516e6b99a38476eb0e0d6336d11056e322a2143e01c96e42f4586a68bf999
+SIZE (rt-4.0.13.tar.gz) = 6895248