Bug 172114 - www/openx:update to 2.8.10
Summary: www/openx:update to 2.8.10
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Ruslan Makhmatkhanov
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-27 15:20 UTC by Ruslan Makhmatkhanov
Modified: 2012-10-03 13:40 UTC (History)
0 users

See Also:

Attachments
file.diff (2.72 KB, patch)
2012-09-27 15:20 UTC, Ruslan Makhmatkhanov 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2012-09-27 15:20:02 UTC 
- update to 2.8.10

this release fixes sql injection vulnerability.

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2012-09-27 15:20:10 UTC 
Maintainer of www/openx,

Please note that PR ports/172114 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/172114

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2012-09-27 15:20:14 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2012-09-27 16:05:41 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->rm

My PR.
Comment 4 dfilter service freebsd_committer freebsd_triage 2012-10-03 13:33:50 UTC 
Author: rm
Date: Wed Oct  3 12:33:38 2012
New Revision: 305200
URL: http://svn.freebsd.org/changeset/ports/305200

Log:
  - update to 2.8.10
  - add vuxml entry
  
  This release fixes SQL injection vulnerability.
  
  PR:		172114
  Submitted by:	rm (myself)
  Approved by:	ports-secteam (eadler)
  Security:	dee44ba9-08ab-11e2-a044-d0df9acfd7e5

Modified:
  head/security/vuxml/vuln.xml
  head/www/openx/Makefile
  head/www/openx/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Oct  3 12:24:20 2012	(r305199)
+++ head/security/vuxml/vuln.xml	Wed Oct  3 12:33:38 2012	(r305200)
@@ -51,6 +51,42 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="dee44ba9-08ab-11e2-a044-d0df9acfd7e5">
+    <topic>OpenX -- SQL injection vulnerability</topic>
+    <affects>
+      <package>
+        <name>openx</name>
+        <range><le>2.8.10</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>Secunia reports:</p>
+        <blockquote cite="http://secunia.com/advisories/50598/">
+          <p>A vulnerability has been discovered in OpenX, which can be
+             exploited by malicious people to conduct SQL injection 
+             attacks.</p>
+          <p>Input passed via the "xajaxargs" parameter to 
+             www/admin/updates-history.php (when "xajax" is set to 
+             "expandOSURow") is not properly sanitised in e.g. the 
+             "queryAuditBackupTablesByUpgradeId()" function 
+             (lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL
+             queries. This can be exploited to manipulate SQL queries by 
+             injecting arbitrary SQL code.</p>
+          <p>The vulnerability is confirmed in version 2.8.9. Prior versions
+             may also be affected.</p>
+        </blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://secunia.com/advisories/50598/</url>
+    </references>
+    <dates>
+      <discovery>2012-09-14</discovery>
+      <entry>2012-09-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5bae2ab4-0820-11e2-be5f-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

Modified: head/www/openx/Makefile
==============================================================================
--- head/www/openx/Makefile	Wed Oct  3 12:24:20 2012	(r305199)
+++ head/www/openx/Makefile	Wed Oct  3 12:33:38 2012	(r305200)
@@ -1,12 +1,8 @@
-# New ports collection makefile for:	openx
-# Date created:		13 March 2008
-# Whom:			Piotr Rybicki <meritus@innervision.pl>
-#
+# Created by: Piotr Rybicki <meritus@innervision.pl>
 # $FreeBSD$
-#
 
 PORTNAME=	openx
-PORTVERSION=	2.8.9
+PORTVERSION=	2.8.10
 CATEGORIES=	www
 MASTER_SITES=	http://download.openx.org/
 

Modified: head/www/openx/distinfo
==============================================================================
--- head/www/openx/distinfo	Wed Oct  3 12:24:20 2012	(r305199)
+++ head/www/openx/distinfo	Wed Oct  3 12:33:38 2012	(r305200)
@@ -1,2 +1,2 @@
-SHA256 (openx-2.8.9.tar.bz2) = b6c9eece311cd33c502cdf3b8b14027dcf72672318cff1adc12a81dedf5352db
-SIZE (openx-2.8.9.tar.bz2) = 9616171
+SHA256 (openx-2.8.10.tar.bz2) = 91418dcd3896e19532c4144e5f4c56bcfa49164e3304fa7240f2a1cc8b90bfc2
+SIZE (openx-2.8.10.tar.bz2) = 9787343
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 5 Ruslan Makhmatkhanov freebsd_committer freebsd_triage 2012-10-03 13:37:16 UTC 
State Changed
From-To: feedback->closed

Committed, thank you!