Date: Thu, 20 Feb 2003 11:30:12 -0800 (PST) From: Thierry Thomas <thierry@pompo.net> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/48485: Ports mail/imp should be marked as forbidden as soon as possbile Message-ID: <200302201930.h1KJUCW1099003@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/48485; it has been noted by GNATS. From: Thierry Thomas <thierry@pompo.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: ports/48485: Ports mail/imp should be marked as forbidden as soon as possbile Date: Thu, 20 Feb 2003 20:26:28 +0100 Le Jeu 20 fév 03 à 16:00:05 +0100, LiuKang <lazykang@hotmail.com> écrivait : > > >Number: 48485 > >Category: ports > >Synopsis: Ports mail/imp contains a SQL injection vulnerability, > >Description: > As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a > SQL injection vulnerability, which can be used by an attacker to execute > SQL statements with the privileges of the Horde database user, by simply > manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025". > >How-To-Repeat: > n/a > >Fix: > I think imp 2.2.x should be marked as forbidden temporarily. Thanks for the notice. This port (with www/horde) should be removed. On <http://www.horde.org/imp/2.2/news.php> (dated 2003-01-28) it is written: The Horde Project has previously announced that IMP 2.2.x is no longer actively maintained, and that sites still running IMP 2.2 are strongly urged upgrade to 3.x as soon as possible. It is very unlikely that any further official releases of the IMP 2.2.x branch will be created. It is only useful for people using PHP3 and not PHP4... -- Th. Thomas. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302201930.h1KJUCW1099003>