Bug 130934 - [vuxml] update for vulnerability in devel/websvn
Summary: [vuxml] update for vulnerability in devel/websvn
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-24 07:40 UTC by mark
Modified: 2009-02-09 15:21 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mark 2009-01-24 07:40:03 UTC

Fix: 

<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="801d797c-6f14-4edc-85ff-b4d0a88d7fa7">
     <topic>websvn -- WebSVN Known Path Access Restriction Security Bypass</topic>
     <affects>
       <package>
         <name>websvn</name>
         <range><lt>2.1</lt></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>SANS reports:</p>
         <blockquote cite="http://permalink.gmane.org/gmane.comp.security.oss.general/1390">
           <p>WebSVN is an online SVN repository viewer. The
application is exposed to a security bypass issue because it fails to
properly implement access control mechanisms. WebSVN versions prior to
2.1 are affected.</p>
         </blockquote>
       </body>
     </description>
     <references>
      <url>http://permalink.gmane.org/gmane.comp.security.oss.general/1390</url>
     </references>
     <dates>
       <discovery>2009-01-18</discovery>
       <entry>2009-01-23</entry>
     </dates>
   </vuln>
Comment 1 Edwin Groothuis freebsd_committer 2009-01-24 07:40:16 UTC
Maintainer of devel/websvn,

Please note that PR ports/130934 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/130934

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer 2009-01-24 07:40:20 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 ychsiao 2009-01-29 17:28:14 UTC
please apply this patch (upgrade to 2.10)

diff -ruN --exclude=CVS /usr/ports/devel/websvn/Makefile /home/ychsiao/project/websvn/Makefile
--- /usr/ports/devel/websvn/Makefile    2007-09-06 12:16:57.000000000 +0800
+++ /home/ychsiao/project/websvn/Makefile       2009-01-30 01:21:09.000000000 +0800
@@ -6,9 +6,9 @@
 #

 PORTNAME=      websvn
-PORTVERSION=   2.0
+PORTVERSION=   2.1.0
 CATEGORIES=    devel www
-MASTER_SITES=  http://websvn.tigris.org/files/documents/1380/39378/
+MASTER_SITES=  http://websvn.tigris.org/files/documents/1380/44451/

 MAINTAINER=    ychsiao@ychsiao.org
 COMMENT=       Subversion repository web frontend
diff -ruN --exclude=CVS /usr/ports/devel/websvn/distinfo /home/ychsiao/project/websvn/distinfo
--- /usr/ports/devel/websvn/distinfo    2007-09-06 12:16:57.000000000 +0800
+++ /home/ychsiao/project/websvn/distinfo       2009-01-30 01:25:51.000000000 +0800
@@ -1,3 +1,3 @@
-MD5 (websvn-2.0.tar.gz) = 047e02c0fa2948fdf98a3e348e3f1530
-SHA256 (websvn-2.0.tar.gz) = 38104a86d6a90bb3f18a5b0a957b46cf0c1409037bb2a83c09e9f24543cfa2ea
-SIZE (websvn-2.0.tar.gz) = 172005
+MD5 (websvn-2.1.0.tar.gz) = 0973edc5ca348424104147846b7d7152
+SHA256 (websvn-2.1.0.tar.gz) = d201eaf8dcf962c8402c2fdd1a798a5b5d4a9700b20c0dadfd83397ffe15afa6
+SIZE (websvn-2.1.0.tar.gz) = 572038
diff -ruN --exclude=CVS /usr/ports/devel/websvn/pkg-descr /home/ychsiao/project/websvn/pkg-descr
--- /usr/ports/devel/websvn/pkg-descr   2004-05-26 04:41:27.000000000 +0800
+++ /home/ychsiao/project/websvn/pkg-descr      2009-01-30 01:22:55.000000000 +0800
@@ -4,4 +4,4 @@
 given revision. You can also view the differences between 2 versions of
 a file so as to see exactly what was changed in a particular revision.

-WWW: http://websvn.tigris.org/
+WWW: http://www.websvn.info/


* Edwin Groothuis <edwin@FreeBSD.org> [090124 15:40]:
> Maintainer of devel/websvn,
> 
> Please note that PR ports/130934 has just been submitted.
> 
> If it contains a patch for an upgrade, an enhancement or a bug fix
> you agree on, reply to this email stating that you approve the patch
> and a committer will take care of it.
> 
> The full text of the PR can be found at:
>     http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/130934
> 
> -- 
> Edwin Groothuis via the GNATS Auto Assign Tool
> edwin@FreeBSD.org
Comment 4 Martin Wilke freebsd_committer 2009-01-29 23:06:48 UTC
Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.
Comment 5 dfilter service freebsd_committer 2009-02-09 14:53:11 UTC
miwi        2009-02-09 14:52:55 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document websvn -- multiple vulnerabilities
  
  PR:             based on 130934
  Submitted by:   Mark Foster <mark@foster.cc>
  
  Revision  Changes    Path
  1.1852    +45 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 dfilter service freebsd_committer 2009-02-09 15:00:20 UTC
miwi        2009-02-09 14:59:51 UTC

  FreeBSD ports repository

  Modified files:
    mail/phplist         Makefile distinfo pkg-plist 
  Log:
  - Update to 2.10.9
  
  PR:             130934
  Reported by:    Mark Foster <mark@foster.cc>
  Approved by:    maintainer timeout (security update 7 days)
  Security:       http://www.vuxml.org/freebsd/40774927-f6b4-11dd-94d9-0030843d3802.html
  
  Revision  Changes    Path
  1.4       +1 -1      ports/mail/phplist/Makefile
  1.3       +3 -3      ports/mail/phplist/distinfo
  1.3       +1 -0      ports/mail/phplist/pkg-plist
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 7 dfilter service freebsd_committer 2009-02-09 15:02:07 UTC
miwi        2009-02-09 15:01:57 UTC

  FreeBSD ports repository

  Modified files:
    devel/websvn         Makefile distinfo pkg-descr 
  Log:
  - Update to 2.1.0
  - Update WWW
  
  PR:             130934
  Submitted by:   Yuan-Chung Hsiao <ychsiao@ychsiao.org> (maintainer)
  Security:       http://www.vuxml.org/freebsd/71597e3e-f6b8-11dd-94d9-0030843d3802.html
  
  Revision  Changes    Path
  1.12      +2 -2      ports/devel/websvn/Makefile
  1.8       +3 -3      ports/devel/websvn/distinfo
  1.2       +1 -1      ports/devel/websvn/pkg-descr
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 8 Martin Wilke freebsd_committer 2009-02-09 15:20:59 UTC
State Changed
From-To: feedback->closed

documented and updated. thanks.