Bug 172114 - www/openx:update to 2.8.10
www/openx:update to 2.8.10
Status: Closed FIXED
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s)
Latest
Any Any
: Normal Affects Only Me
Assigned To: Ruslan Makhmatkhanov
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-27 15:20 UTC by Ruslan Makhmatkhanov
Modified: 2012-10-03 13:40 UTC (History)
0 users

See Also:


Attachments
file.diff (2.72 KB, patch)
2012-09-27 15:20 UTC, Ruslan Makhmatkhanov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ruslan Makhmatkhanov freebsd_committer 2012-09-27 15:20:02 UTC
- update to 2.8.10

this release fixes sql injection vulnerability.

Fix: Patch attached with submission follows:
Comment 1 Edwin Groothuis freebsd_committer 2012-09-27 15:20:10 UTC
Maintainer of www/openx,

Please note that PR ports/172114 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/172114

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer 2012-09-27 15:20:14 UTC
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Ruslan Makhmatkhanov freebsd_committer 2012-09-27 16:05:41 UTC
Responsible Changed
From-To: freebsd-ports-bugs->rm

My PR.
Comment 4 dfilter freebsd_committer 2012-10-03 13:33:50 UTC
Author: rm
Date: Wed Oct  3 12:33:38 2012
New Revision: 305200
URL: http://svn.freebsd.org/changeset/ports/305200

Log:
  - update to 2.8.10
  - add vuxml entry
  
  This release fixes SQL injection vulnerability.
  
  PR:		172114
  Submitted by:	rm (myself)
  Approved by:	ports-secteam (eadler)
  Security:	dee44ba9-08ab-11e2-a044-d0df9acfd7e5

Modified:
  head/security/vuxml/vuln.xml
  head/www/openx/Makefile
  head/www/openx/distinfo

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Oct  3 12:24:20 2012	(r305199)
+++ head/security/vuxml/vuln.xml	Wed Oct  3 12:33:38 2012	(r305200)
@@ -51,6 +51,42 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="dee44ba9-08ab-11e2-a044-d0df9acfd7e5">
+    <topic>OpenX -- SQL injection vulnerability</topic>
+    <affects>
+      <package>
+        <name>openx</name>
+        <range><le>2.8.10</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+        <p>Secunia reports:</p>
+        <blockquote cite="http://secunia.com/advisories/50598/">
+          <p>A vulnerability has been discovered in OpenX, which can be
+             exploited by malicious people to conduct SQL injection 
+             attacks.</p>
+          <p>Input passed via the "xajaxargs" parameter to 
+             www/admin/updates-history.php (when "xajax" is set to 
+             "expandOSURow") is not properly sanitised in e.g. the 
+             "queryAuditBackupTablesByUpgradeId()" function 
+             (lib/OA/Upgrade/DB_UpgradeAuditor.php) before being used in SQL
+             queries. This can be exploited to manipulate SQL queries by 
+             injecting arbitrary SQL code.</p>
+          <p>The vulnerability is confirmed in version 2.8.9. Prior versions
+             may also be affected.</p>
+        </blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://secunia.com/advisories/50598/</url>
+    </references>
+    <dates>
+      <discovery>2012-09-14</discovery>
+      <entry>2012-09-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5bae2ab4-0820-11e2-be5f-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

Modified: head/www/openx/Makefile
==============================================================================
--- head/www/openx/Makefile	Wed Oct  3 12:24:20 2012	(r305199)
+++ head/www/openx/Makefile	Wed Oct  3 12:33:38 2012	(r305200)
@@ -1,12 +1,8 @@
-# New ports collection makefile for:	openx
-# Date created:		13 March 2008
-# Whom:			Piotr Rybicki <meritus@innervision.pl>
-#
+# Created by: Piotr Rybicki <meritus@innervision.pl>
 # $FreeBSD$
-#
 
 PORTNAME=	openx
-PORTVERSION=	2.8.9
+PORTVERSION=	2.8.10
 CATEGORIES=	www
 MASTER_SITES=	http://download.openx.org/
 

Modified: head/www/openx/distinfo
==============================================================================
--- head/www/openx/distinfo	Wed Oct  3 12:24:20 2012	(r305199)
+++ head/www/openx/distinfo	Wed Oct  3 12:33:38 2012	(r305200)
@@ -1,2 +1,2 @@
-SHA256 (openx-2.8.9.tar.bz2) = b6c9eece311cd33c502cdf3b8b14027dcf72672318cff1adc12a81dedf5352db
-SIZE (openx-2.8.9.tar.bz2) = 9616171
+SHA256 (openx-2.8.10.tar.bz2) = 91418dcd3896e19532c4144e5f4c56bcfa49164e3304fa7240f2a1cc8b90bfc2
+SIZE (openx-2.8.10.tar.bz2) = 9787343
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 5 Ruslan Makhmatkhanov freebsd_committer 2012-10-03 13:37:16 UTC
State Changed
From-To: feedback->closed

Committed, thank you!