diff options
| author | Olli Hauer <ohauer@FreeBSD.org> | 2012-01-06 01:25:28 +0800 |
|---|---|---|
| committer | Olli Hauer <ohauer@FreeBSD.org> | 2012-01-06 01:25:28 +0800 |
| commit | 03efecffe1e2cd856f6c474e32e17e983df77280 (patch) | |
| tree | ced34947290c111932f2b3cbac7ef372473493ba | |
| parent | 2982c2c274291c5f1a346d4d6c213a86423e3b5c (diff) | |
| download | freebsd-ports-gnome-03efecffe1e2cd856f6c474e32e17e983df77280.tar.gz freebsd-ports-gnome-03efecffe1e2cd856f6c474e32e17e983df77280.tar.zst freebsd-ports-gnome-03efecffe1e2cd856f6c474e32e17e983df77280.zip | |
- update to version 3.6.7
- CVE-2011-3657
- CVE-2011-3667
Summary
=======
The following security issues have been discovered in Bugzilla:
* When viewing tabular or graphical reports as well as new charts,
an XSS vulnerability is possible in debug mode.
* The User.offer_account_by_email WebService method lets you create
a new user account even if the active authentication method forbids
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
All affected installations are encouraged to upgrade as soon as possible.
Full Release Notes:
http://www.bugzilla.org/security/3.4.12/
Approved by: skv@ (explicit)
| -rw-r--r-- | devel/bugzilla/Makefile | 17 | ||||
| -rw-r--r-- | devel/bugzilla/distinfo | 4 | ||||
| -rw-r--r-- | devel/bugzilla/files/patch-Bugzilla__Install__Requirements.pm | 14 | ||||
| -rw-r--r-- | devel/bugzilla/files/patch-Bugzilla__WebService__Server__JSONRPC.pm | 33 | ||||
| -rw-r--r-- | devel/bugzilla/pkg-plist | 3 | ||||
| -rw-r--r-- | devel/bugzilla3/Makefile | 16 | ||||
| -rw-r--r-- | devel/bugzilla3/distinfo | 4 | ||||
| -rw-r--r-- | devel/bugzilla3/files/patch-Bugzilla__WebService__Server__JSONRPC.pm | 33 | ||||
| -rw-r--r-- | devel/bugzilla3/pkg-plist | 3 |
9 files changed, 90 insertions, 37 deletions
diff --git a/devel/bugzilla/Makefile b/devel/bugzilla/Makefile index 1e1ade040d7f..1c09454d028e 100644 --- a/devel/bugzilla/Makefile +++ b/devel/bugzilla/Makefile @@ -6,8 +6,7 @@ # PORTNAME= bugzilla -PORTVERSION= 4.0.2 -PORTREVISION= 1 +PORTVERSION= 4.0.3 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived @@ -130,7 +129,7 @@ RUN_DEPENDS+= p5-JSON-RPC>=0:${PORTSDIR}/devel/p5-JSON-RPC \ .ifdef WITH_MODPERL2 RUN_DEPENDS+= ${SITE_PERL}/${PERL_ARCH}/mod_perl2.pm:${PORTSDIR}/www/mod_perl2 \ - ${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI-mp2 + ${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI .endif .ifdef WITH_GRAPHVIZ @@ -163,12 +162,13 @@ post-patch: @${PERL} -pi -e 's/(default =>.+|Default is )mysql/$$1Pg/' \ ${WRKSRC}/Bugzilla/Install/Localconfig.pm .endif - @${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \ - -or -name ".bzr*" -or -name "README.docs" \) | ${XARGS} ${RM} -rf @${FIND} ${WRKSRC} -type f -exec ${REINPLACE_CMD} -i '' \ -e 's!/usr/lib/sendmail!/usr/sbin/sendmail!g; s=/usr/bin/perl=${PERL}=g' {} \+ @${FIND} ${WRKSRC}/docs -type f | \ ${XARGS} ${REINPLACE_CMD} -i '' -e "s!/var/www/html/bugzilla!${WWWDIR}!" + @${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \ + -or -name "*.bak" -or -name ".bzr*" -or -name "README.docs" \) \ + | ${XARGS} ${RM} -rf do-install: .SILENT ${MKDIR} ${WWWDIR} @@ -183,15 +183,14 @@ do-install: .SILENT ${MKDIR} ${DOCSDIR} (cd ${WRKSRC}/docs/ && ${COPYTREE_SHARE} . ${DOCSDIR}/) .endif +# This are empty directories but they are needed, +# else ckecksetup.pl will fail! + ${MKDIR} ${WWWDIR}/contrib ${WWWDIR}/lib ${WWWDIR}/t ${WWWDIR}/xt .ifdef WITH_CONTRIB - ${MKDIR} ${WWWDIR}/contrib @cd ${WRKSRC}/contrib && \ ${FIND} . -type d -exec ${MKDIR} "${WWWDIR}/contrib/{}" \; && \ ${FIND} . -type f -exec ${INSTALL_DATA} "{}" "${WWWDIR}/contrib/{}" \; .endif -# This are empty directories but they are needed, -# else ckecksetup.pl will fail! - ${MKDIR} ${WWWDIR}/lib ${WWWDIR}/t ${WWWDIR}/xt .if !defined(BATCH) @${ECHO_MSG} @${CAT} ${PKGMESSAGE} diff --git a/devel/bugzilla/distinfo b/devel/bugzilla/distinfo index cf1fa326e801..26073a04e4a8 100644 --- a/devel/bugzilla/distinfo +++ b/devel/bugzilla/distinfo @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-4.0.2.tar.gz) = 9513d53f75aaf7dc6efc4b145c09d95d8148b976cd71a2cda3a1093a2183bd77 -SIZE (bugzilla/bugzilla-4.0.2.tar.gz) = 2987667 +SHA256 (bugzilla/bugzilla-4.0.3.tar.gz) = 0b24b5b44f9f14dd127f86bb2e560ac99e1dfba258bc0d8677968a9f3633435c +SIZE (bugzilla/bugzilla-4.0.3.tar.gz) = 2991669 diff --git a/devel/bugzilla/files/patch-Bugzilla__Install__Requirements.pm b/devel/bugzilla/files/patch-Bugzilla__Install__Requirements.pm deleted file mode 100644 index 20d0ca894dfb..000000000000 --- a/devel/bugzilla/files/patch-Bugzilla__Install__Requirements.pm +++ /dev/null @@ -1,14 +0,0 @@ ---- ./Bugzilla/Install/Requirements.pm.orig 2011-08-05 04:25:35.000000000 +0200 -+++ ./Bugzilla/Install/Requirements.pm 2011-08-16 08:55:28.000000000 +0200 -@@ -698,8 +698,9 @@ - # show "ok" or "not found". - if (exists $params->{found}) { - my $found_string; -- # We do a string compare in case it's non-numeric. -- if ($found and $found eq "-1") { -+ # We do a string compare in case it's non-numeric. We make sure -+ # it's not a version object as negative versions are forbidden. -+ if ($found && !ref($found) && $found eq '-1') { - $found_string = install_string('module_not_found'); - } - elsif ($found) { diff --git a/devel/bugzilla/files/patch-Bugzilla__WebService__Server__JSONRPC.pm b/devel/bugzilla/files/patch-Bugzilla__WebService__Server__JSONRPC.pm new file mode 100644 index 000000000000..0a06d1c5fbe3 --- /dev/null +++ b/devel/bugzilla/files/patch-Bugzilla__WebService__Server__JSONRPC.pm @@ -0,0 +1,33 @@ +Bug-Id: 706753 +Summary: Bugzilla will not work with newest version of + JSON::RPC 1.01 due to non-backward compatibility +URL: https://bugzilla.mozilla.org/show_bug.cgi?id=706753 + + +Index: Bugzilla/WebService/Server/JSONRPC.pm +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/JSONRPC.pm,v +retrieving revision 1.18 +diff -p -u -r1.18 JSONRPC.pm +--- Bugzilla/WebService/Server/JSONRPC.pm 14 Feb 2011 20:18:51 -0000 1.18 ++++ Bugzilla/WebService/Server/JSONRPC.pm 5 Jan 2012 00:04:31 -0000 +@@ -22,7 +22,18 @@ + package Bugzilla::WebService::Server::JSONRPC; + + use strict; +-use base qw(JSON::RPC::Server::CGI Bugzilla::WebService::Server); ++use Bugzilla::WebService::Server; ++BEGIN { ++ our @ISA = qw(Bugzilla::WebService::Server); ++ ++ if (eval { require JSON::RPC::Server::CGI }) { ++ unshift(@ISA, 'JSON::RPC::Server::CGI'); ++ } ++ else { ++ require JSON::RPC::Legacy::Server::CGI; ++ unshift(@ISA, 'JSON::RPC::Legacy::Server::CGI'); ++ } ++} + + use Bugzilla::Error; + use Bugzilla::WebService::Constants; diff --git a/devel/bugzilla/pkg-plist b/devel/bugzilla/pkg-plist index 4ec6a4d1e169..3d14a8e767ca 100644 --- a/devel/bugzilla/pkg-plist +++ b/devel/bugzilla/pkg-plist @@ -974,7 +974,7 @@ @dirrm %%WWWDIR%%/images %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/cmdline %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/bugzilla-submit -%%CONTRIB%%@dirrmtry %%WWWDIR%%/contrib +@dirrmtry %%WWWDIR%%/contrib @dirrm %%WWWDIR%%/Bugzilla/Whine @dirrm %%WWWDIR%%/Bugzilla/WebService/Server @dirrm %%WWWDIR%%/Bugzilla/WebService @@ -1034,3 +1034,4 @@ @exec mkdir -p %D/%%WWWDIR%%/xt @exec mkdir -p %D/%%WWWDIR%%/t @exec mkdir -p %D/%%WWWDIR%%/lib +@exec mkdir -p %D/%%WWWDIR%%/contrib diff --git a/devel/bugzilla3/Makefile b/devel/bugzilla3/Makefile index fb6704931018..6f219633910f 100644 --- a/devel/bugzilla3/Makefile +++ b/devel/bugzilla3/Makefile @@ -6,7 +6,7 @@ # PORTNAME= bugzilla -PORTVERSION= 3.6.6 +PORTVERSION= 3.6.7 CATEGORIES= devel MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= webtools webtools/archived @@ -128,7 +128,7 @@ RUN_DEPENDS+= p5-JSON-RPC>=0:${PORTSDIR}/devel/p5-JSON-RPC .ifdef WITH_MODPERL2 RUN_DEPENDS+= ${SITE_PERL}/${PERL_ARCH}/mod_perl2.pm:${PORTSDIR}/www/mod_perl2 \ - ${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI-mp2 + ${SITE_PERL}/Apache/DBI.pm:${PORTSDIR}/www/p5-Apache-DBI .endif .ifdef WITH_GRAPHVIZ @@ -161,12 +161,13 @@ post-patch: @${PERL} -pi -e 's/(default =>.+|Default is )mysql/$$1Pg/' \ ${WRKSRC}/Bugzilla/Install/Localconfig.pm .endif - @${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \ - -or -name ".bzr*" -or -name "README.docs" \) | ${XARGS} ${RM} -rf @${FIND} ${WRKSRC} -type f -exec ${REINPLACE_CMD} -i '' \ -e 's!/usr/lib/sendmail!/usr/sbin/sendmail!g; s=/usr/bin/perl=${PERL}=g' {} \+ @${FIND} ${WRKSRC}/docs -type f | \ ${XARGS} ${REINPLACE_CMD} -i '' -e "s!/var/www/html/bugzilla!${WWWDIR}!" + @${FIND} ${WRKSRC} \( -name "CVS" -or -name ".cvsignore" -or -name "*.orig" \ + -or -name "*.bak" -or -name ".bzr*" -or -name "README.docs" \) \ + | ${XARGS} ${RM} -rf do-install: .SILENT ${MKDIR} ${WWWDIR} @@ -181,15 +182,14 @@ do-install: .SILENT ${MKDIR} ${DOCSDIR} (cd ${WRKSRC}/docs/ && ${COPYTREE_SHARE} . ${DOCSDIR}/) .endif +# This are empty directories but they are needed, +# else ckecksetup.pl does not work as expected! + ${MKDIR} ${WWWDIR}/contrib ${WWWDIR}/lib ${WWWDIR}/t .ifdef WITH_CONTRIB - ${MKDIR} ${WWWDIR}/contrib @cd ${WRKSRC}/contrib && \ ${FIND} . -type d -exec ${MKDIR} "${WWWDIR}/contrib/{}" \; && \ ${FIND} . -type f -exec ${INSTALL_DATA} "{}" "${WWWDIR}/contrib/{}" \; .endif -# This are empty directories but they are needed, -# else ckecksetup.pl does not work as expected! - ${MKDIR} ${WWWDIR}/lib ${WWWDIR}/t .if !defined(BATCH) @${ECHO_MSG} @${CAT} ${PKGMESSAGE} diff --git a/devel/bugzilla3/distinfo b/devel/bugzilla3/distinfo index 55aebee2525e..83fde5c275b2 100644 --- a/devel/bugzilla3/distinfo +++ b/devel/bugzilla3/distinfo @@ -1,2 +1,2 @@ -SHA256 (bugzilla/bugzilla-3.6.6.tar.gz) = 76f0fac1bc2c1bb498868728bd64a90081ff848db96a75e9a2fc9bbe9942e546 -SIZE (bugzilla/bugzilla-3.6.6.tar.gz) = 2528601 +SHA256 (bugzilla/bugzilla-3.6.7.tar.gz) = bc4983b0b136a712e37414045383c0735bf23412d290141e1dc60c7a45d9cd11 +SIZE (bugzilla/bugzilla-3.6.7.tar.gz) = 2638159 diff --git a/devel/bugzilla3/files/patch-Bugzilla__WebService__Server__JSONRPC.pm b/devel/bugzilla3/files/patch-Bugzilla__WebService__Server__JSONRPC.pm new file mode 100644 index 000000000000..0a06d1c5fbe3 --- /dev/null +++ b/devel/bugzilla3/files/patch-Bugzilla__WebService__Server__JSONRPC.pm @@ -0,0 +1,33 @@ +Bug-Id: 706753 +Summary: Bugzilla will not work with newest version of + JSON::RPC 1.01 due to non-backward compatibility +URL: https://bugzilla.mozilla.org/show_bug.cgi?id=706753 + + +Index: Bugzilla/WebService/Server/JSONRPC.pm +=================================================================== +RCS file: /cvsroot/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/JSONRPC.pm,v +retrieving revision 1.18 +diff -p -u -r1.18 JSONRPC.pm +--- Bugzilla/WebService/Server/JSONRPC.pm 14 Feb 2011 20:18:51 -0000 1.18 ++++ Bugzilla/WebService/Server/JSONRPC.pm 5 Jan 2012 00:04:31 -0000 +@@ -22,7 +22,18 @@ + package Bugzilla::WebService::Server::JSONRPC; + + use strict; +-use base qw(JSON::RPC::Server::CGI Bugzilla::WebService::Server); ++use Bugzilla::WebService::Server; ++BEGIN { ++ our @ISA = qw(Bugzilla::WebService::Server); ++ ++ if (eval { require JSON::RPC::Server::CGI }) { ++ unshift(@ISA, 'JSON::RPC::Server::CGI'); ++ } ++ else { ++ require JSON::RPC::Legacy::Server::CGI; ++ unshift(@ISA, 'JSON::RPC::Legacy::Server::CGI'); ++ } ++} + + use Bugzilla::Error; + use Bugzilla::WebService::Constants; diff --git a/devel/bugzilla3/pkg-plist b/devel/bugzilla3/pkg-plist index 9434e8b2943d..c767a7c89bcd 100644 --- a/devel/bugzilla3/pkg-plist +++ b/devel/bugzilla3/pkg-plist @@ -791,7 +791,7 @@ @dirrm %%WWWDIR%%/images %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/cmdline %%CONTRIB%%@dirrm %%WWWDIR%%/contrib/bugzilla-submit -%%CONTRIB%%@dirrmtry %%WWWDIR%%/contrib +@dirrmtry %%WWWDIR%%/contrib @dirrm %%WWWDIR%%/Bugzilla/Whine @dirrm %%WWWDIR%%/Bugzilla/WebService/Server @dirrm %%WWWDIR%%/Bugzilla/WebService @@ -850,3 +850,4 @@ %%PORTDOCS%%@dirrm %%DOCSDIR%% @exec mkdir -p %D/%%WWWDIR%%/t @exec mkdir -p %D/%%WWWDIR%%/lib +@exec mkdir -p %D/%%WWWDIR%%/contrib |