Date: Thu, 20 Feb 2003 11:30:12 -0800 (PST) From: Thierry Thomas <thierry@pompo.net> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/48485: Ports mail/imp should be marked as forbidden as soon as possbile Message-ID: <200302201930.h1KJUCW1099003@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/48485; it has been noted by GNATS.
From: Thierry Thomas <thierry@pompo.net>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc:
Subject: Re: ports/48485: Ports mail/imp should be marked as forbidden as soon as possbile
Date: Thu, 20 Feb 2003 20:26:28 +0100
Le Jeu 20 fév 03 à 16:00:05 +0100, LiuKang <lazykang@hotmail.com>
écrivait :
>
> >Number: 48485
> >Category: ports
> >Synopsis: Ports mail/imp contains a SQL injection vulnerability,
> >Description:
> As it said in http://www.horde.org/imp/2.2/ IMP 2.2.x contains a
> SQL injection vulnerability, which can be used by an attacker to execute
> SQL statements with the privileges of the Horde database user, by simply
> manipulating Horde URLs. This bug has got a CVE id: "CAN-2003-0025".
> >How-To-Repeat:
> n/a
> >Fix:
> I think imp 2.2.x should be marked as forbidden temporarily.
Thanks for the notice. This port (with www/horde) should be removed. On
<http://www.horde.org/imp/2.2/news.php>; (dated 2003-01-28)
it is written:
The Horde Project has previously announced that IMP 2.2.x is no longer
actively maintained, and that sites still running IMP 2.2 are strongly
urged upgrade to 3.x as soon as possible. It is very unlikely that any
further official releases of the IMP 2.2.x branch will be created.
It is only useful for people using PHP3 and not PHP4...
--
Th. Thomas.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302201930.h1KJUCW1099003>