Bug 207187

Summary: www/horde-base & devel/pear-Horde_Core: XSS vulnerabilites in 2016Q1 version
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: horde
Status: Closed Overcome By Events    
Severity: Affects Some People CC: junovitch, mm, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (horde)
junovitch: merge-quarterly?
Hardware: Any   
OS: Any   

Description Jason Unovitch freebsd_committer freebsd_triage 2016-02-14 13:05:15 UTC 
https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0

This was documented in:
https://svnweb.FreeBSD.org/changeset/ports/408841

These are addressed in the recent Horde package updates SVN commits:
https://svnweb.FreeBSD.org/changeset/ports/407900
https://svnweb.FreeBSD.org/changeset/ports/407927
https://svnweb.FreeBSD.org/changeset/ports/408020

This touches a lot of packages though.  Should the 3 Horde updates be bulk MFH'd at once or just the patches from git applied?
Comment 1 Martin Matuska freebsd_committer freebsd_triage 2016-02-15 13:22:32 UTC 
Merging just the git commits won't be easy as the PEAR packages keep track of their file's checksums. IMO it would be better to pull the whole update.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-04-03 00:40:48 UTC 
Sorry for not revisiting this sooner but with 2016Q2 out this is overcome by events now.