From owner-cvs-all@FreeBSD.ORG  Tue Apr  3 03:51:40 2012
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Delivered-To: cvs-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AA84C106566B;
	Tue,  3 Apr 2012 03:51:40 +0000 (UTC)
	(envelope-from remko@elvandar.org)
Received: from mailout.jr-hosting.nl (mailout.jr-hosting.nl
	[IPv6:2a01:4f8:141:5ffd::1:25])
	by mx1.freebsd.org (Postfix) with ESMTP id DCB908FC0C;
	Tue,  3 Apr 2012 03:51:39 +0000 (UTC)
Received: from mail.jr-hosting.nl (mail.jr-hosting.nl
	[IPv6:2a01:4f8:141:5ffd::25])
	by mailout.jr-hosting.nl (Postfix) with ESMTP id 0DD5039025EF;
	Tue,  3 Apr 2012 05:51:39 +0200 (CEST)
Received: from [10.0.2.10] (a44084.upc-a.chello.nl [62.163.44.84])
	by mail.jr-hosting.nl (Postfix) with ESMTPSA id 894A938B131B;
	Tue,  3 Apr 2012 05:51:38 +0200 (CEST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=iso-8859-1
From: Remko Lodder <remko@elvandar.org>
X-Priority: 3
In-Reply-To: <D649B5AEC45D47BB9A9C82E3CC7584D6@charlieroot.de>
Date: Tue, 3 Apr 2012 05:51:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <67EB8A9E-62A5-40B9-8AB6-7662568578A0@elvandar.org>
References: <201203291821.q2TILLmU032333@repoman.freebsd.org>
	<CAMuy=+grs_W9Gvck0reDsb5arYGg3N6Az23=WxzoTGxMsQdSnw@mail.gmail.com>
	<4F755BBF.7020607@yandex.ru>
	<D649B5AEC45D47BB9A9C82E3CC7584D6@charlieroot.de>
To: Helmut Schneider <jumper99@gmx.de>
X-Mailer: Apple Mail (2.1257)
Cc: cvs-ports@freebsd.org, cvs-all@freebsd.org, Jason Helfman <jgh@FreeBSD.org>,
	Ruslan Mahmatkhanov <cvs-src@yandex.ru>, ports-committers@freebsd.org
Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr
X-BeenThere: cvs-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: **OBSOLETE** CVS commit messages for the entire tree
	<cvs-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-all>
List-Post: <mailto:cvs-all@freebsd.org>
List-Help: <mailto:cvs-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-all>,
	<mailto:cvs-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2012 03:51:40 -0000


the <dates> section misses the <entry> tag which tells the system when =
the entry had been made.

Apart from that I would like to ask you whether you can send this diff =
to ports-security which can review
this for you, be sure to add an unified diff _attached_ to the mail, so =
that someone can download it and
apply it to the tree and validate whether the entry indeed works etc.

Thank you for working on this!
Remko

On Apr 2, 2012, at 11:16 PM, Helmut Schneider wrote:

> Does this look reasonable?
>=20
> <vuln vid=3D"cf36b6a1-7d08-11e1-b720-000c2994762c">
>   <topic>Typo3 - Cross-Site Scripting, Information Disclosure, =
Insecure Unserialize</topic>
>   <affects>
>     <package>
>       <name>typo3</name>
>       <range><ge>4.6</ge><le>4.6.6</le></range>
>     </package>
>     <package>
>       <name>typo345</name>
>       <range><ge>4.5</ge><le>4.5.13</le></range>
>     </package>
>     <package>
>       <name>typo344</name>
>       <range><ge>4.4</ge><le>4.4.13</le></range>
>     </package>
>   </affects>
>   <description>
>     <body xmlns=3D"http://www.w3.org/1999/xhtml">
>       <p>The typo3 security team reports:</p>
>       <blockquote =
cite=3D"https://typo3.org/teams/security/security-bulletins/typo3-core/typ=
o3-core-sa-2012-001/">
>         <p>Due to a missing signature (HMAC) for a request argument, =
an attacker could unserialize arbitrary objects within TYPO3.</p>
>         <p>Failing to properly HTML-encode user input in several =
places, the TYPO3 backend is susceptible to Cross-Site Scripting. A =
valid backend user is required to exploit these vulnerabilities.</p>
>         <p>Accessing a CLI Script directly with a browser may disclose =
the database name used for the TYPO3 installation.</p>
>         <p>By not removing non printable characters, the API method =
t3lib_div::RemoveXSS() fails to filter specially crafted HTML =
injections, thus is susceptible to Cross-Site Scripting.</p>
>       </blockquote>
>     </body>
>   </description>
>   <references>
>     <cvename>CVE-2012-1605</cvename>
>     <cvename>CVE-2012-1606</cvename>
>     <cvename>CVE-2012-1607</cvename>
>     <cvename>CVE-2012-1608</cvename>
>     =
<url>https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-=
core-sa-2012-001/</url>
>   </references>
>   <dates>
>     <discovery>2012-03-28</discovery>
>   </dates>
> </vuln>
>=20
>=20
> --------------------------------------------------
> From: "Ruslan Mahmatkhanov" <cvs-src@yandex.ru>
> Sent: Friday, March 30, 2012 9:07 AM
> To: "Jason Helfman" <jgh@FreeBSD.org>
> Cc: <ports-committers@freebsd.org>; <cvs-ports@freebsd.org>; =
<cvs-all@freebsd.org>; "Helmut Schneider" <jumper99@gmx.de>
> Subject: Re: cvs commit: ports/www/typo345 Makefile distinfo pkg-descr
>=20
>> Jason Helfman wrote on 30.03.2012 10:30:
>>> On Thu, Mar 29, 2012 at 11:21 AM, Ruslan =
Mahmatkhanov<rm@freebsd.org>wrote:
>>>=20
>>>> rm          2012-03-29 18:21:21 UTC
>>>>=20
>>>>  FreeBSD ports repository
>>>>=20
>>>>  Modified files:
>>>>    www/typo345          Makefile distinfo pkg-descr
>>>>  Log:
>>>>  - update to 4.5.14
>>>>=20
>>>>  See
>>>> =
https://typo3.org/teams/security/security-bulletins/typo3-core/typo3-core-=
sa-2012-001/
>>>>=20
>>>>  PR:             166467 =
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=3D166467
>>>>  Submitted by:   Helmut Schneider<jumper99 at gmx dot de>  =
(maintainer)
>>>>  Feature safe:   yes
>>>>=20
>>>>  Revision  Changes    Path
>>>>  1.60      +1 -1      ports/www/typo345/Makefile
>>>>  1.42      +4 -4      ports/www/typo345/distinfo
>>>>  1.7       +1 -1      ports/www/typo345/pkg-descr
>>>>=20
>>>>=20
>>>> =
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/Makefile.diff?&r1=3D=
1.59&r2=3D1.60&f=3Dh
>>>>=20
>>>> =
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/distinfo.diff?&r1=3D=
1.41&r2=3D1.42&f=3Dh
>>>>=20
>>>> =
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/typo345/pkg-descr.diff?&r1=
=3D1.6&r2=3D1.7&f=3Dh
>>>>=20
>>>>=20
>>> Are there any plans to document these updates in vuxml?
>>>=20
>>> -jgh
>>>=20
>>=20
>> No, I haven't. Helmut, would you?
>>=20
>> --=20
>> Regards,
>> Ruslan
>>=20
>> Tinderboxing kills... the drives.
> _______________________________________________
> cvs-ports@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/cvs-ports
> To unsubscribe, send any mail to "cvs-ports-unsubscribe@freebsd.org"

--=20
/"\   With kind regards,			| remko@elvandar.org
\ /   Remko Lodder			| remko@FreeBSD.org
X    FreeBSD					| =
http://www.evilcoder.org
/ \   The Power to Serve		| Quis custodiet ipsos custodes