Bug 203461 - mail/james: security/vuxml: update to 2.3.2.1 (arbitrary system command execution for servers)
Summary: mail/james: security/vuxml: update to 2.3.2.1 (arbitrary system command execu...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-10-01 02:15 UTC by Jason Unovitch
Modified: 2015-10-05 10:50 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer 2015-10-01 02:15:30 UTC
http://www.openwall.com/lists/oss-security/2015/09/30/7

Also:
http://james.apache.org/download.cgi#Apache_James_Server
Apache James 2.3.2.1 is the stable version

This release has many enhancements and bug fixes over the previous release. See the Release Notes for a detailed list of changes. Some of the earlier defects could turn a James mail server into an Open Relay and allow files to be written on disk. All users of James Server are urged to upgrade to version v2.3.2.1 as soon as possible.
Comment 1 Jason Unovitch freebsd_committer 2015-10-01 02:33:17 UTC
Take, I'll work on this one.
Comment 2 commit-hook freebsd_committer 2015-10-01 03:14:41 UTC
A commit references this bug:

Author: junovitch
Date: Thu Oct  1 03:14:15 UTC 2015
New revision: 398246
URL: https://svnweb.freebsd.org/changeset/ports/398246

Log:
  Document security advisory for the Apache James server

  PR:		203461
  Security:	be3069c9-67e7-11e5-9909-002590263bf5

Changes:
  head/security/vuxml/vuln.xml
Comment 3 commit-hook freebsd_committer 2015-10-04 21:27:11 UTC
A commit references this bug:

Author: junovitch
Date: Sun Oct  4 21:26:11 UTC 2015
New revision: 398623
URL: https://svnweb.freebsd.org/changeset/ports/398623

Log:
  mail/james: security update 2.3.1 -> 2.3.2.1; while here fix all the things

  - Add LICENSE and LICENSE_FILE
  - Add NO_ARCH
  - Fix PID_FILE using an undefined variable (resulting PID was /var/run/.pid)
  - Fix .include lines post staging support
  - Actually use the version number from PLIST_SUB in pkg-plist
  - Overhaul rc script
    - Add PROVIDE/REQUIRE/KEYWORD to header
    - Remove "geronimo" references from when the port was originally copied
    - Remove %%JAMES_VERSION%% in rc variable names. Every port version bump
      in the past came with a POLA issue as james231_enable=YES would now
      have to be james2321_enable=YES. Provide a shim to translate the old
      variable names and provide a warning to update rc.conf syntax.
    - Match start routine to embedded start-up script (which enables stop
      command to work without a java.lang.IllegalThreadStateException)
    - Add working status routine
    - Standardize indentation

  PR:		203461
  Security:	CVE-2015-7611
  Security:	be3069c9-67e7-11e5-9909-002590263bf5
  MFH:		2015Q4

Changes:
  head/mail/james/Makefile
  head/mail/james/distinfo
  head/mail/james/files/james.in
  head/mail/james/pkg-plist
Comment 4 commit-hook freebsd_committer 2015-10-04 21:28:13 UTC
A commit references this bug:

Author: junovitch
Date: Sun Oct  4 21:27:57 UTC 2015
New revision: 398624
URL: https://svnweb.freebsd.org/changeset/ports/398624

Log:
  Add CVE reference to Apache James entry

  PR:		203461
  Security:	CVE-2015-7611
  Security:	be3069c9-67e7-11e5-9909-002590263bf5

Changes:
  head/security/vuxml/vuln.xml
Comment 5 commit-hook freebsd_committer 2015-10-05 10:47:59 UTC
A commit references this bug:

Author: junovitch
Date: Mon Oct  5 10:47:48 UTC 2015
New revision: 398638
URL: https://svnweb.freebsd.org/changeset/ports/398638

Log:
  MFH: r398623

  mail/james: security update 2.3.1 -> 2.3.2.1; while here fix all the things

  - Add LICENSE and LICENSE_FILE
  - Add NO_ARCH
  - Fix PID_FILE using an undefined variable (resulting PID was /var/run/.pid)
  - Fix .include lines post staging support
  - Actually use the version number from PLIST_SUB in pkg-plist
  - Overhaul rc script
    - Add PROVIDE/REQUIRE/KEYWORD to header
    - Remove "geronimo" references from when the port was originally copied
    - Remove %%JAMES_VERSION%% in rc variable names. Every port version bump
      in the past came with a POLA issue as james231_enable=YES would now
      have to be james2321_enable=YES. Provide a shim to translate the old
      variable names and provide a warning to update rc.conf syntax.
    - Match start routine to embedded start-up script (which enables stop
      command to work without a java.lang.IllegalThreadStateException)
    - Add working status routine
    - Standardize indentation

  PR:		203461
  Security:	CVE-2015-7611
  Security:	be3069c9-67e7-11e5-9909-002590263bf5
  Approved by:	portmgr (erwin)

Changes:
_U  branches/2015Q4/
  branches/2015Q4/mail/james/Makefile
  branches/2015Q4/mail/james/distinfo
  branches/2015Q4/mail/james/files/james.in
  branches/2015Q4/mail/james/pkg-plist
Comment 6 Jason Unovitch freebsd_committer 2015-10-05 10:50:09 UTC
Closing.

ports/head, ports/branches/2015Q4, and VuXML have all been completed.