Summary: | mail/phpmailer: Update to 5.2.14, Take MAINTAINER'ship, Add VuXML entry. | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Torsten Zühlsdorff <ports> | ||||||||
Component: | Individual Port(s) | Assignee: | freebsd-ports-bugs (Nobody) <ports-bugs> | ||||||||
Status: | Closed FIXED | ||||||||||
Severity: | Affects Only Me | CC: | ports-secteam | ||||||||
Priority: | Normal | Keywords: | patch, patch-ready, security | ||||||||
Version: | Latest | Flags: | amdmi3:
merge-quarterly+
|
||||||||
Hardware: | Any | ||||||||||
OS: | Any | ||||||||||
Attachments: |
|
Description
Torsten Zühlsdorff
2015-11-12 14:01:58 UTC
@Tosten, thank you for taking this port under your wing. There's no need for the [tag] prefixes anymore. If we can separate the security fix into a separate attachment, it will make this easier to merge only that fix to the security branch. Comment on attachment 163055 [details]
patch with update to 5.2.14 and maintainer change
Port is not maintained, implicit approval
(In reply to Kubilay Kocak from comment #1) > If we can separate the security fix into a separate attachment, > it will make this easier to merge only that fix to the security branch. I scanned roughly through the commit history and found the fix. But i will test this separately. Should i create a new PR for the security branch or should i attach the patch to this PR? (In reply to Torsten Zühlsdorff from comment #3) Here is perfectly fine, just give them obvious filenames/descriptions: HEAD - Update to 5.2.14 QUARTERLY - Security fix Or something equivalent If you want to try your hand at a security/vuxml update, go nuts :) Created attachment 163089 [details]
patch with security patches for 5.2.13
I've created patches to fix the security issue just for phpmailer 5.2.13. The diff intentionally excludes a patch for the unit-tests of the software. Currently i do not have enough time to bring the different versions together, so i've just ported the patches for the software itself.
Comment on attachment 163089 [details]
patch with security patches for 5.2.13
Port is not maintained, implicit approval
Created attachment 163090 [details] vuxml update > If you want to try your hand at a security/vuxml update, go nuts :) Mh... translated into german this means i would become insane when trying it? Out of curiosity if my current level of insanity could be raised i did... something... and attached it happily :D I feel no difference till now ;) Please let me know what could be improved. :) (In reply to Torsten Zühlsdorff from comment #7) Haha, my Australian slang getting in the way again ;) "Go insane" is definitely one definition. The other is: 2. (in the imperative) Go ahead; feel free. "Can we play in the garden?" "Sure, go nuts." [1] [1] https://en.wiktionary.org/wiki/go_nuts Good job on the VuXML. In case it wasn't obvious, you can `make validate` the security/vuxml port to QA syntax correctness. Ports Security Team (ports-secteam@) should be able to help if any semantic 'correcting' is required. This issue is now 'perfect' and ready to take. I got that you mean "feel free", but the multiple meanings got funny because of the complains i already read about the vuxml-file. :) With this in mind the vuxml entry was irritating and fun at the same time. Thanks therefore and the link. :) Since this is an security issue: is there anything i can do to help speed up the process of being committed? I'm hesitant to assign this directly to ports-secteam, which would preclude another committer from taking it.
Also, I note that the purported 'patch' (attachment 163089 [details]) appears to be svn status (not diff) output.
Can you clarify, and obsolete/update if necessary.
A commit references this bug: Author: amdmi3 Date: Thu Dec 3 16:23:13 UTC 2015 New revision: 402879 URL: https://svnweb.freebsd.org/changeset/ports/402879 Log: Document PHPmailer SMTP injection vulnerability PR: 204500 Changes: head/security/vuxml/vuln.xml vuxml entry committed, though I had to fix a few things. Main is that it should've stated <range><lt>5.2.14</lt></range> instead of <range><lt>5.2.13</lt></range> - versions < 5.2.14 are vulnerable. There's actually no security patch attached to this PR (svn status output instead), but that's no problem - I guess we can just update to 5.2.14 both in head and a branch. A commit references this bug: Author: amdmi3 Date: Thu Dec 3 16:40:07 UTC 2015 New revision: 402885 URL: https://svnweb.freebsd.org/changeset/ports/402885 Log: - Update to 5.2.14 - Pass maintainership to submitter PR: 204500 Submitted by: ports@toco-domains.de MFH: 2015Q4 Security: 8a90dc87-89f9-11e5-a408-00248c0c745d Changes: head/mail/phpmailer/Makefile head/mail/phpmailer/distinfo head/mail/phpmailer/pkg-descr A commit references this bug: Author: amdmi3 Date: Thu Dec 3 16:44:22 UTC 2015 New revision: 402886 URL: https://svnweb.freebsd.org/changeset/ports/402886 Log: MFH: r402885 - Update to 5.2.14 - Pass maintainership to submitter PR: 204500 Submitted by: ports@toco-domains.de Security: 8a90dc87-89f9-11e5-a408-00248c0c745d Approved by: ports-secteam (feld) Changes: _U branches/2015Q4/ branches/2015Q4/mail/phpmailer/Makefile branches/2015Q4/mail/phpmailer/distinfo branches/2015Q4/mail/phpmailer/pkg-descr |