cvs commit: ports/devel/bugzilla Makefile distinfo pkg-plist
ports/devel/bugzilla/files patch-Bugzilla__Install__Requirements.pm
patch-Bugzilla__WebService__Server__JSONRPC.pm
Olli Hauer
ohauer at FreeBSD.org
Thu Jan 5 17:25:29 UTC 2012
ohauer 2012-01-05 17:25:28 UTC
FreeBSD ports repository
Modified files:
devel/bugzilla Makefile distinfo pkg-plist
Added files:
devel/bugzilla/files
patch-Bugzilla__WebService__Server__JSONRPC.pm
Removed files:
devel/bugzilla/files patch-Bugzilla__Install__Requirements.pm
Log:
- update to version 3.6.7
- CVE-2011-3657
- CVE-2011-3667
Summary
=======
The following security issues have been discovered in Bugzilla:
* When viewing tabular or graphical reports as well as new charts,
an XSS vulnerability is possible in debug mode.
* The User.offer_account_by_email WebService method lets you create
a new user account even if the active authentication method forbids
users to create an account.
* A CSRF vulnerability in post_bug.cgi and in attachment.cgi could
lead to the creation of unwanted bug reports and attachments.
All affected installations are encouraged to upgrade as soon as possible.
Full Release Notes:
http://www.bugzilla.org/security/3.4.12/
Approved by: skv@ (explicit)
Revision Changes Path
1.90 +8 -9 ports/devel/bugzilla/Makefile
1.47 +2 -2 ports/devel/bugzilla/distinfo
1.2 +0 -14 ports/devel/bugzilla/files/patch-Bugzilla__Install__Requirements.pm (dead)
1.1 +33 -0 ports/devel/bugzilla/files/patch-Bugzilla__WebService__Server__JSONRPC.pm (new)
1.41 +2 -1 ports/devel/bugzilla/pkg-plist
More information about the cvs-all
mailing list