svn commit: r416649 - in branches/2016Q2/mail/roundcube: . files
Jason Unovitch
junovitch at FreeBSD.org
Fri Jun 10 01:17:32 UTC 2016
Author: junovitch
Date: Fri Jun 10 01:17:30 2016
New Revision: 416649
URL: https://svnweb.freebsd.org/changeset/ports/416649
Log:
MFH: r414979 r416648
Update to 1.1.5 release.
Apply patch from upstream for cross-site scripting vulnerability
PR: 209841
Reported by: Vladimir Krstulja <vlad-fbsd at acheronmedia.com>
Approved by: maintainer timeout (2 weeks)
Security: CVE-2016-5103
Security: https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html
Approved by: ports-secteam (with hat)
Added:
branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103
- copied unchanged from r416648, head/mail/roundcube/files/patch-CVE-2016-5103
Modified:
branches/2016Q2/mail/roundcube/Makefile
branches/2016Q2/mail/roundcube/distinfo
Directory Properties:
branches/2016Q2/ (props changed)
Modified: branches/2016Q2/mail/roundcube/Makefile
==============================================================================
--- branches/2016Q2/mail/roundcube/Makefile Fri Jun 10 01:15:58 2016 (r416648)
+++ branches/2016Q2/mail/roundcube/Makefile Fri Jun 10 01:17:30 2016 (r416649)
@@ -1,11 +1,11 @@
# $FreeBSD$
PORTNAME= roundcube
-DISTVERSION= 1.1.4
+DISTVERSION= 1.1.5
PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES?= mail www
-MASTER_SITES= SF/${PORTNAME}mail/${PORTNAME}mail/${DISTVERSION:tu}
+MASTER_SITES= https://github.com/roundcube/roundcubemail/releases/download/${DISTVERSION}/
DISTNAME= ${PORTNAME}mail-${DISTVERSION}-complete
MAINTAINER?= ale at FreeBSD.org
@@ -25,7 +25,7 @@ CPE_VENDOR= roundcube
WANT_PHP_WEB= yes
USE_PHP= pcre mbstring session iconv dom xml json intl zip filter
-IGNORE_WITH_PHP=52
+IGNORE_WITH_PHP=70
OPTIONS_DEFINE= SSL LDAP GD PSPELL NSC DOCS
OPTIONS_SINGLE= DB
Modified: branches/2016Q2/mail/roundcube/distinfo
==============================================================================
--- branches/2016Q2/mail/roundcube/distinfo Fri Jun 10 01:15:58 2016 (r416648)
+++ branches/2016Q2/mail/roundcube/distinfo Fri Jun 10 01:17:30 2016 (r416649)
@@ -1,2 +1,2 @@
-SHA256 (roundcubemail-1.1.4-complete.tar.gz) = 9bfe88255d4ffc288f5776de1cead78352469b1766d5ebaebe6e28043affe181
-SIZE (roundcubemail-1.1.4-complete.tar.gz) = 4578600
+SHA256 (roundcubemail-1.1.5-complete.tar.gz) = 476a1d45b0592b2ad43e3e08cbc72e69ef31e33ed8a8f071f02e5a1ae3e7f334
+SIZE (roundcubemail-1.1.5-complete.tar.gz) = 4581781
Copied: branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103 (from r416648, head/mail/roundcube/files/patch-CVE-2016-5103)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/2016Q2/mail/roundcube/files/patch-CVE-2016-5103 Fri Jun 10 01:17:30 2016 (r416649, copy of r416648, head/mail/roundcube/files/patch-CVE-2016-5103)
@@ -0,0 +1,19 @@
+commit 6652367d656de7e5f404935be04e10aa281add53
+Author: Aleksander Machniak <alec at alec.pl>
+Date: Fri May 6 08:28:15 2016 +0200
+
+ Fix XSS issue in href attribute on area tag (#5240, #5241)
+
+diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php
+index 5938d9b..d03f04a 100644
+--- program/lib/Roundcube/rcube_washtml.php
++++ program/lib/Roundcube/rcube_washtml.php
+@@ -370,7 +370,7 @@ class rcube_washtml
+ */
+ private function is_link_attribute($tag, $attr)
+ {
+- return $tag == 'a' && $attr == 'href';
++ return ($tag == 'a' || $tag == 'area') && $attr == 'href';
+ }
+
+ /**
More information about the svn-ports-all
mailing list