Date: Thu, 20 Feb 2003 23:00:05 +0800 From: "LiuKang" <lazykang@hotmail.com> To: <FreeBSD-gnats-submit@FreeBSD.org> Subject: ports/48485: Ports mail/imp should be marked as forbidden as soon as possbile Message-ID: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAgJ14HzWEVESapMqH59byCcKAAAAQAAAAmfkvKGi7v0CWT/aPTkuYFgEAAAAA@hotmail.com>
next in thread | raw e-mail | index | archive | help
>Number: 48485
>Category: ports
>Synopsis: Ports mail/imp contains a SQL injection vulnerability,
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 20 09:10:18 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Kang Liu
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
Beijing University of Technology
>Environment:
System: FreeBSD cnproxy.bjpu.edu.cn 5.0-CURRENT FreeBSD 5.0-CURRENT #4:
Tue Feb 18 22:02:59 CST 2003 root@cnproxy.bjpu.edu.cn:/usr/o
>Description:
As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a
SQL injection vulnerability, which can be used by an attacker to execute
SQL statements with the privileges of the Horde database user, by simply
manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025".
>How-To-Repeat:
n/a
>Fix:
I think imp 2.2.x should be marked as forbidden temporarily.
>Release-Note:
>Audit-Trail:
>Unformatted:
it should be marked as forbidden as soon as possible
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAgJ14HzWEVESapMqH59byCcKAAAAQAAAAmfkvKGi7v0CWT/aPTkuYFgEAAAAA>