Created attachment 163055 [details] patch with update to 5.2.14 and maintainer change Hello, attached a patch to update the port to the current version 5.2.14. The update fixes an security issue (which has no CVE). While here i: - corrected the github account to use - fix the outdated link to the homepage in pkg-desc - become new maintainer portlint -C is fine. poudriere test-builds are fine for: 9.3 amd64 + i386 10.1 amd64 + i386 10.2 amd64 + i386 11-current r290334 amd64 + i386 I did a basic runtime test. I use this lib in my own applications and they send still emails after update. :D Suggestion for commit message: Log: mail/phpmailer: update 5.2.13 -> 5.2.14 Changes: * 5.2.14 (2015-11-01) * Allow addresses with IDN (Internationalized Domain Name) in PHP 5.3+ * Allow access to POP3 errors * Make all POP3 private properties and methods protected * SECURITY Fix vulnerability that allowed email addresses with line breaks (valid in RFC5322) to pass to SMTP, permitting message injection at the SMTP level. Mitigated in both the address validator and in the lower-level SMTP class. * Updated Brazilian Portuguese translations Submitted by: Torsten Zühlsdorff <ports@toco-domains.de> (new maintainer)
@Tosten, thank you for taking this port under your wing. There's no need for the [tag] prefixes anymore. If we can separate the security fix into a separate attachment, it will make this easier to merge only that fix to the security branch.
Comment on attachment 163055 [details] patch with update to 5.2.14 and maintainer change Port is not maintained, implicit approval
(In reply to Kubilay Kocak from comment #1) > If we can separate the security fix into a separate attachment, > it will make this easier to merge only that fix to the security branch. I scanned roughly through the commit history and found the fix. But i will test this separately. Should i create a new PR for the security branch or should i attach the patch to this PR?
(In reply to Torsten Zühlsdorff from comment #3) Here is perfectly fine, just give them obvious filenames/descriptions: HEAD - Update to 5.2.14 QUARTERLY - Security fix Or something equivalent If you want to try your hand at a security/vuxml update, go nuts :)
Created attachment 163089 [details] patch with security patches for 5.2.13 I've created patches to fix the security issue just for phpmailer 5.2.13. The diff intentionally excludes a patch for the unit-tests of the software. Currently i do not have enough time to bring the different versions together, so i've just ported the patches for the software itself.
Comment on attachment 163089 [details] patch with security patches for 5.2.13 Port is not maintained, implicit approval
Created attachment 163090 [details] vuxml update > If you want to try your hand at a security/vuxml update, go nuts :) Mh... translated into german this means i would become insane when trying it? Out of curiosity if my current level of insanity could be raised i did... something... and attached it happily :D I feel no difference till now ;) Please let me know what could be improved. :)
(In reply to Torsten Zühlsdorff from comment #7) Haha, my Australian slang getting in the way again ;) "Go insane" is definitely one definition. The other is: 2. (in the imperative) Go ahead; feel free. "Can we play in the garden?" "Sure, go nuts." [1] [1] https://en.wiktionary.org/wiki/go_nuts Good job on the VuXML. In case it wasn't obvious, you can `make validate` the security/vuxml port to QA syntax correctness. Ports Security Team (ports-secteam@) should be able to help if any semantic 'correcting' is required. This issue is now 'perfect' and ready to take.
I got that you mean "feel free", but the multiple meanings got funny because of the complains i already read about the vuxml-file. :) With this in mind the vuxml entry was irritating and fun at the same time. Thanks therefore and the link. :)
Since this is an security issue: is there anything i can do to help speed up the process of being committed?
I'm hesitant to assign this directly to ports-secteam, which would preclude another committer from taking it. Also, I note that the purported 'patch' (attachment 163089 [details]) appears to be svn status (not diff) output. Can you clarify, and obsolete/update if necessary.
A commit references this bug: Author: amdmi3 Date: Thu Dec 3 16:23:13 UTC 2015 New revision: 402879 URL: https://svnweb.freebsd.org/changeset/ports/402879 Log: Document PHPmailer SMTP injection vulnerability PR: 204500 Changes: head/security/vuxml/vuln.xml
vuxml entry committed, though I had to fix a few things. Main is that it should've stated <range><lt>5.2.14</lt></range> instead of <range><lt>5.2.13</lt></range> - versions < 5.2.14 are vulnerable. There's actually no security patch attached to this PR (svn status output instead), but that's no problem - I guess we can just update to 5.2.14 both in head and a branch.
A commit references this bug: Author: amdmi3 Date: Thu Dec 3 16:40:07 UTC 2015 New revision: 402885 URL: https://svnweb.freebsd.org/changeset/ports/402885 Log: - Update to 5.2.14 - Pass maintainership to submitter PR: 204500 Submitted by: ports@toco-domains.de MFH: 2015Q4 Security: 8a90dc87-89f9-11e5-a408-00248c0c745d Changes: head/mail/phpmailer/Makefile head/mail/phpmailer/distinfo head/mail/phpmailer/pkg-descr
A commit references this bug: Author: amdmi3 Date: Thu Dec 3 16:44:22 UTC 2015 New revision: 402886 URL: https://svnweb.freebsd.org/changeset/ports/402886 Log: MFH: r402885 - Update to 5.2.14 - Pass maintainership to submitter PR: 204500 Submitted by: ports@toco-domains.de Security: 8a90dc87-89f9-11e5-a408-00248c0c745d Approved by: ports-secteam (feld) Changes: _U branches/2015Q4/ branches/2015Q4/mail/phpmailer/Makefile branches/2015Q4/mail/phpmailer/distinfo branches/2015Q4/mail/phpmailer/pkg-descr