Bug 207187 - www/horde-base & devel/pear-Horde_Core: XSS vulnerabilites in 2016Q1 version
Summary: www/horde-base & devel/pear-Horde_Core: XSS vulnerabilites in 2016Q1 version
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: horde
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-02-14 13:05 UTC by Jason Unovitch
Modified: 2016-04-03 00:40 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (horde)
junovitch: merge-quarterly?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Unovitch freebsd_committer freebsd_triage 2016-02-14 13:05:15 UTC 
https://github.com/horde/horde/commit/11d74fa5a22fe626c5e5a010b703cd46a136f253
https://github.com/horde/horde/commit/f03301cf6edcca57121a15e80014c4d0f29d99a0

This was documented in:
https://svnweb.FreeBSD.org/changeset/ports/408841

These are addressed in the recent Horde package updates SVN commits:
https://svnweb.FreeBSD.org/changeset/ports/407900
https://svnweb.FreeBSD.org/changeset/ports/407927
https://svnweb.FreeBSD.org/changeset/ports/408020

This touches a lot of packages though.  Should the 3 Horde updates be bulk MFH'd at once or just the patches from git applied?
Comment 1 Martin Matuska freebsd_committer freebsd_triage 2016-02-15 13:22:32 UTC 
Merging just the git commits won't be easy as the PEAR packages keep track of their file's checksums. IMO it would be better to pull the whole update.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2016-04-03 00:40:48 UTC 
Sorry for not revisiting this sooner but with 2016Q2 out this is overcome by events now.