Date: Thu, 13 Dec 2012 17:00:21 -0500 From: Adam Weinberger <adamw@FreeBSD.org> To: Eitan Adler <eadler@freebsd.org> Cc: svn-ports-head@freebsd.org, ports-secteam@freebsd.org, Beech Rintoul <beech@freebsd.org>, svn-ports-all@freebsd.org, ports-committers@freebsd.org, portmgr@freebsd.org, Beech Rintoul <beech@freebsdnorth.com> Subject: Re: svn commit: r308867 - head/www/hastymail2 Message-ID: <20121213220021.GA10601@apnoea.adamw.org> In-Reply-To: <CAF6rxgm96QC1wYDDs-h0EXkqZn6t5KX=_FvaDLkSGoAbJBdxOA@mail.gmail.com> References: <201212131904.qBDJ4u9M095797@svn.freebsd.org> <CAF6rxgmsHq=GfsPvCkQJQD168RjToYxQ%2BziotvyLWrJgHfeF0w@mail.gmail.com> <201212131030.54563.beech@freebsdnorth.com> <201212131044.23185.beech@freebsdnorth.com> <CAF6rxgm96QC1wYDDs-h0EXkqZn6t5KX=_FvaDLkSGoAbJBdxOA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>> (2012/12/13 @ 1517 EST): Eitan Adler said, in 2.2K: << > On 13 December 2012 14:44, Beech Rintoul <beech@freebsdnorth.com> wrote: > > On Thursday 13 December 2012 10:30:54 Beech Rintoul wrote: > >> On Thursday 13 December 2012 10:08:45 Eitan Adler wrote: > >> > On 13 December 2012 14:04, Beech Rintoul <beech@freebsd.org> wrote: > >> > > Author: beech > >> > > Date: Thu Dec 13 19:04:56 2012 > >> > > New Revision: 308867 > >> > > URL: http://svnweb.freebsd.org/changeset/ports/308867 > >> > > > >> > > Log: > >> > > - Update to 1.1 final. > >> > > - Security vulnerabilities are fixed in this version. > >> > > >> > Which ones? Is there a vuxml to go along with this? > >> > >> No vuxml and no mention of security vulnerabilities in previous pr's. The > >> website shows the following which doesn't appear anywhere else: > >> > >> Two security issues have been recently discovered in Hastymail. Both are > >> fixed in this latest release. All users are encouraged to upgrade to the > >> 1.1 version to protect themselves from these issues. > >> > >> Remote code execution: In order for this issue to be exploitable sites must > >> have the notices plugin enabled in Hastymail, and register_globals and > >> allow_url_fopen enabled in PHP. It is STRONGLY recommended that you do not > >> have register_globals enabled in PHP. Upgrading to the 1.1 version resolves > >> this bug, or you can update the hastymail2/plugins/notices/test_sounds.php > >> file to the latest version in SVN found here: > >> > >> http://hastymail.svn.sourceforge.net/viewvc/hastymail/trunk/hastymail2/plu > >> gins/notices/test_sound.php?revision=2074 > >> > >> XXS exploit on thread view: Shai Rod reported an issue on the thread view > >> page that allows specially crafted message subjects to execute javascript > >> code when viewed on the thread view page. Several files had to be modified > >> to correct this issue so it is recommended that sites upgrade to version > >> 1.1 to mitigate this issue. > > > > This is the second maintainer timeout, the first being pr 165549 from February > > 29. I'm wondering if this port should go back to the pool as > > graudeejs@gmail.com hasn't responded. > > Yes, it should be - its been over 3 months without a reply or update. > He also timed out on a security related PR. Please reset. > >> end of "Re: svn commit: r308867 - head/www/hastymail2" from Eitan Adler << He also failed to respond at all to 171669. # Adam -- Adam Weinberger adamw@adamw.org http://www.adamw.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121213220021.GA10601>