Path to this page:
Subject: CVS commit: [pkgsrc-2013Q1] pkgsrc/devel/rt3
From: Matthias Scheler
Date: 2013-05-30 10:29:36
Message id: 20130530082936.33E5096@cvs.netbsd.org
Log Message:
Pullup ticket #4142 - requested by spz
devel/rt3: security update
Revisions pulled up:
- devel/rt3/Makefile 1.52
- devel/rt3/Makefile.install 1.20
- devel/rt3/PLIST 1.23
- devel/rt3/distinfo 1.24
---
Module Name: pkgsrc
Committed By: spz
Date: Sun May 26 16:55:53 UTC 2013
Modified Files:
pkgsrc/devel/rt3: Makefile Makefile.install PLIST distinfo
Log Message:
security update for RT3, fixing:
CVE-2013-3368
CVE-2013-3369
CVE-2013-3370
CVE-2013-3371
CVE-2013-3372
CVE-2013-3373
CVE-2013-3374
It also includes a database upgrade, so please make sure to run `make
upgrade-database`.
Changes in detail are:
3.8.15->3.8.16:
ruz stop RT from locking on "large" mails
ruz make sure data is recorded (tests)
alexmv Remove bogus argument to ->get(), which fail on HTTP::Message \
>= 5.05
alexmv Ensure that tickets are destroyed before global destruction, in more
alexmv Work around a bug in perl < 5.13.10 with open($fh, \
">:raw", \$string)
sunnavy destroy more tickets and objects before global destruction for modern
tsibley Remove the "signature" paragraph from the README's \
explanation of RT
3.8.16->3.8.17:
alexmv Ensure that filenames in inline image attributes are HTML-escaped
alexmv Deny direct access to callbacks
alexmv Protect calls to $m->comp with user input in ColumnMap
alexmv Ensure that subjects cannot contain embedded newlines
alexmv Remove filename= suggesions from Content-Disposition lines
alexmv Ensure consistent escaping of filenames in attachment URIs
alexmv Ensure that URLs placed in HTML attributes are escaped correctly, to
prevent XSS injection
alexmv Ensure that the default replacement does not pass through unescaped
content
alexmv Use File::Temp for non-predictable temporary filenames
Files: