Bug 216932
| Summary: | [PATCH] mail/postfixadmin Update to 3.0.2 (security fix) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Lukasz Wasikowski <lukasz> | ||||||||
| Component: | Individual Port(s) | Assignee: | Kirill Ponomarev <krion> | ||||||||
| Status: | Closed FIXED | ||||||||||
| Severity: | Affects Only Me | CC: | adamw, krion, ports.maintainer | ||||||||
| Priority: | --- | Keywords: | patch | ||||||||
| Version: | Latest | Flags: | ports.maintainer:
maintainer-feedback+
ports.maintainer: maintainer-feedback+ ports.maintainer: merge-quarterly? |
||||||||
| Hardware: | Any | ||||||||||
| OS: | Any | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 179792 [details]
poudriere build log on 10.3
Created attachment 179793 [details]
poudriere build log on 11.0
Thank you. Please MFH. Comment on attachment 179790 [details]
Patch to version 3.0.2
Approved.
A commit references this bug: Author: krion Date: Fri Feb 10 17:33:53 UTC 2017 New revision: 433819 URL: https://svnweb.freebsd.org/changeset/ports/433819 Log: Update mail/postfixadmin to 3.0.2 (security fix) SECURITY FIX: don't allow to delete protected aliases (CVE-2017-5930, PR#23). Following non-security bugs were fixed: - Fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with +lots of mailboxes - Allow switching between dovecot: password schemes while still accepting passwords hashed using the previous dov +ecot: scheme - FetchmailHandler: use a valid date as default for 'date' - Fix date formatting in non-english languages when using PostgreSQL PR: 216932 Submitted by: lukasz@wasikowski.net Approved by: maintainer, mat (mentor) Differential Revision: https://reviews.freebsd.org/D9521 Changes: head/mail/postfixadmin/Makefile head/mail/postfixadmin/distinfo Kirill, do you intend to merge this to quarterly? (In reply to Adam Weinberger from comment #6) Adam, I will inform ports-secteam@ about it first, as I forgot to put Security: CVE-YYYY-NNNN in the commit log message body A commit references this bug: Author: krion Date: Mon Feb 13 10:48:24 UTC 2017 New revision: 433982 URL: https://svnweb.freebsd.org/changeset/ports/433982 Log: MFH: r433819 Update mail/postfixadmin to 3.0.2 (security fix) SECURITY FIX: don't allow to delete protected aliases (CVE-2017-5930, PR#23). Following non-security bugs were fixed: - Fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with +lots of mailboxes - Allow switching between dovecot: password schemes while still accepting passwords hashed using the previous dov +ecot: scheme - FetchmailHandler: use a valid date as default for 'date' - Fix date formatting in non-english languages when using PostgreSQL PR: 216932 Submitted by: lukasz@wasikowski.net Approved by: maintainer, mat (mentor) Differential Revision: https://reviews.freebsd.org/D9521 Approved by: ports-secteam Changes: _U branches/2017Q1/ branches/2017Q1/mail/postfixadmin/Makefile branches/2017Q1/mail/postfixadmin/distinfo |
Created attachment 179790 [details] Patch to version 3.0.2 Update to 3.0.2. Message from developer: The most important reason for the release was a SECURITY FIX: don't allow to delete protected aliases (CVE-2017-5930, PR#23). Thanks to Janfred @github for the report and the pull request! Besides that, the following non-security bugs were fixed: - fix VacationHandler for PostgreSQL - AliasHandler: restrict mailbox subquery to allowed and specified domains to improve performance on setups with lots of mailboxes - allow switching between dovecot: password schemes while still accepting passwords hashed using the previous dovecot: scheme - FetchmailHandler: use a valid date as default for 'date' - fix date formatting in non-english languages when using PostgreSQL - debian packaging: improve dependencies, remove old templates_c/ files - various small fixes Updates from 3.0 should be boring, you don't even need to run setup.php.