From owner-freebsd-ports-bugs  Thu Feb 20  9:10:34 2003
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 917E637B40C
	for <freebsd-ports-bugs@hub.freebsd.org>; Thu, 20 Feb 2003 09:10:21 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DA40243FD7
	for <freebsd-ports-bugs@hub.freebsd.org>; Thu, 20 Feb 2003 09:10:18 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h1KHAINS058423
	for <freebsd-ports-bugs@freefall.freebsd.org>; Thu, 20 Feb 2003 09:10:18 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h1KHAIUv058422;
	Thu, 20 Feb 2003 09:10:18 -0800 (PST)
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D859937B401
	for <FreeBSD-gnats-submit@FreeBSD.org>; Thu, 20 Feb 2003 06:58:00 -0800 (PST)
Received: from hotmail.com (oe16.pav2.hotmail.com [64.4.36.120])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D5FD843FA3
	for <FreeBSD-gnats-submit@FreeBSD.org>; Thu, 20 Feb 2003 06:57:59 -0800 (PST)
	(envelope-from lazykang@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 20 Feb 2003 06:57:59 -0800
Message-Id: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAgJ14HzWEVESapMqH59byCcKAAAAQAAAAmfkvKGi7v0CWT/aPTkuYFgEAAAAA@hotmail.com>
Date: Thu, 20 Feb 2003 23:00:05 +0800
From: "LiuKang" <lazykang@hotmail.com>
To: <FreeBSD-gnats-submit@FreeBSD.org>
Subject: ports/48485: Ports mail/imp should be marked as forbidden as soon as possbile
Sender: owner-freebsd-ports-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ports-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ports-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ports-bugs>
X-Loop: FreeBSD.org


>Number:         48485
>Category:       ports
>Synopsis:       Ports mail/imp contains a SQL injection vulnerability,
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Feb 20 09:10:18 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Kang Liu
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Beijing University of Technology
>Environment:
System: FreeBSD cnproxy.bjpu.edu.cn 5.0-CURRENT FreeBSD 5.0-CURRENT #4:
Tue Feb 18 22:02:59 CST 2003 root@cnproxy.bjpu.edu.cn:/usr/o
        
>Description:
        As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a
SQL injection vulnerability, which can be used by an attacker to execute
SQL statements with the privileges of the Horde database user, by simply
manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025". 
>How-To-Repeat:
	n/a
>Fix:
	I think imp 2.2.x should be marked as forbidden temporarily.
>Release-Note:
>Audit-Trail:
>Unformatted:
 it should be marked as forbidden as soon as possible

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports-bugs" in the body of the message