The following impacts the ports devel/bugzilla and devel/bugzilla3 at least: * Internet Explorer 8 and older, and Safari before 5.0.6 do content sniffing when viewing a patch in "Raw Unified" mode, which could trigger a cross-site scripting attack due to the execution of malicious code in the attachment. * Attachment descriptions with a newline in them could lead to the injection of crafted headers in email notifications sent to the requestee or the requester when editing an attachment flag. * If an attacker has access to a user's session, he can modify that user's email address without that user being notified of the change. === References: https://bugzilla.mozilla.org/show_bug.cgi?id=637981 CVE Number: CVE-2011-2379 Class: Information Leak
You can't take no for an answer, FreeBSD-gnats-submit! Attaching a patch here for devel/bugzilla it works for me that way. devel/bugzilla3 still needs a patch. 73! Peter pgp: A0E26627 (4A42 6841 2871 5EA7 52AB 12F8 0CE1 4AAC A0E2 6627) -- http://vereshagin.org
Responsible Changed From-To: freebsd-ports-bugs->skv over to maintainer
skv 2011-08-13 18:24:21 UTC FreeBSD ports repository Modified files: devel/bugzilla Makefile distinfo Log: Update to 4.0.2 Changes: http://www.bugzilla.org/releases/4.0.2/release-notes.html Security: http://www.vuxml.org/freebsd/dc8741b9-c5d5-11e0-8a8e-00151735203a.html PR: ports/159576 Submitted by: Peter Vereshagin <peter@vereshagin.org> Revision Changes Path 1.87 +3 -4 ports/devel/bugzilla/Makefile 1.46 +2 -2 ports/devel/bugzilla/distinfo _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->closed Committed, thanks!