Created attachment 183240 [details] patch Simple update. Take maintainership. The main fix is: Fix insufficient sendmail command argument escaping (thanks to Mitchel Sahertian, Maor Shwartz and Dawid Golunski for bringing this to our attention). [CVE-2017-7692]
Created attachment 183241 [details] translations patch
Created attachment 184070 [details] mail/squirrelmail update to 20170705 * update to newer version. * includes a patch which solves the bug [1]. Original patch [2] is made by Paul Lesniewski - 2016-01-25. * fix MASTER_SITES [1] https://sourceforge.net/p/squirrelmail/bugs/2806/ [2] https://sourceforge.net/p/squirrelmail/bugs/_discuss/thread/feebafb3/f2f7/2c33/attachment/quoted_printable_fix-1.4.x-version_3.diff
@Zsolt That you for your contribution. Could you please obsolete outdated versions of patches (if there are any). This can either be done when uploading a new attachment or by going to Attachment -> Details -> Edit Details -> [x] Obsolete If the two attachments are to be both committed, please combine them into a single svn diff, OR if they should be committed separately (for example, one per port), please update the descriptions so that is clear. Example: Attachment 1 [details]: category/port1: Update to blah Attachment 2 [details]: category/port2: Translation blah Please also confirm whether or not the latest patch (attachment 184070 [details]) also (continues to) resolve the CVE-2017-7692 mentioned in comment 0
Created attachment 184072 [details] mail/squirrelmail-translations update to 20170705
@Kubilay: I hope the patch comments are clear. The patches belong different ports (mail/squirrelmail and mail/squirrelmail-translations). The squirrelmail-translations patch shouldn't be the first because it requires fresh squirrelmail (check its RUN_DEPENDS). I don't know in this case they can/should be one svn-diff or not. The CVE-2017-7692 fix is resolved with the newest patch too because this fix is solved in the official source code (check commit [1]) and doesn't need plus patch by FreeBSD. [1] https://sourceforge.net/p/squirrelmail/code/14649/
Thank you for clarifying
Ping ports-secteam
A commit references this bug: Author: swills Date: Tue Aug 22 17:25:10 UTC 2017 New revision: 448570 URL: https://svnweb.freebsd.org/changeset/ports/448570 Log: mail/squirrelmail: Update to 20170705 While here, give maintainership to submitter PR: 219801 Submitted by: Zsolt Udvari <uzsolt@uzsolt.hu> MFH: 2017Q3 Security: e1de77e8-c45e-48d7-8866-5a6f943046de Changes: head/mail/squirrelmail/Makefile head/mail/squirrelmail/distinfo head/mail/squirrelmail/files/patch-functions__i18n.php head/mail/squirrelmail/files/patch-functions_strings.php head/mail/squirrelmail/pkg-plist
A commit references this bug: Author: swills Date: Tue Aug 22 17:26:08 UTC 2017 New revision: 448571 URL: https://svnweb.freebsd.org/changeset/ports/448571 Log: mail/squirrelmail-translations: Update to 20170705 While here, give maintainership to submitter PR: 219801 Submitted by: Zsolt Udvari <uzsolt@uzsolt.hu> Changes: head/mail/squirrelmail-translations/Makefile head/mail/squirrelmail-translations/distinfo
A commit references this bug: Author: swills Date: Tue Aug 22 17:26:42 UTC 2017 New revision: 448572 URL: https://svnweb.freebsd.org/changeset/ports/448572 Log: MFH: r448570 mail/squirrelmail: Update to 20170705 While here, give maintainership to submitter PR: 219801 Submitted by: Zsolt Udvari <uzsolt@uzsolt.hu> Security: e1de77e8-c45e-48d7-8866-5a6f943046de Approved by: ports-secteam (implicit) Changes: _U branches/2017Q3/ branches/2017Q3/mail/squirrelmail/Makefile branches/2017Q3/mail/squirrelmail/distinfo branches/2017Q3/mail/squirrelmail/files/patch-functions__i18n.php branches/2017Q3/mail/squirrelmail/files/patch-functions_strings.php branches/2017Q3/mail/squirrelmail/pkg-plist
I documented the security vulnerability in vuxml, committed these changes, as well as MFH'ing the change to mail/squirrelmail. I wasn't sure if the change to mail/squirrelmail-translations needs to be MFH'd or not, so didn't do it for now. Please let me know if it does.