Subject: CVS commit: [pkgsrc-2013Q1] pkgsrc/devel/rt3
From: Matthias Scheler
Date: 2013-05-30 10:29:36
Message id: 20130530082936.33E5096@cvs.netbsd.org

Log Message:
Pullup ticket #4142 - requested by spz
devel/rt3: security update

Revisions pulled up:
- devel/rt3/Makefile                                            1.52
- devel/rt3/Makefile.install                                    1.20
- devel/rt3/PLIST                                               1.23
- devel/rt3/distinfo                                            1.24

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Sun May 26 16:55:53 UTC 2013

   Modified Files:
   	pkgsrc/devel/rt3: Makefile Makefile.install PLIST distinfo

   Log Message:
   security update for RT3, fixing:

       CVE-2013-3368
       CVE-2013-3369
       CVE-2013-3370
       CVE-2013-3371
       CVE-2013-3372
       CVE-2013-3373
       CVE-2013-3374

   It also includes a database upgrade, so please make sure to run `make
   upgrade-database`.

   Changes in detail are:
   3.8.15->3.8.16:
   ruz 	stop RT from locking on "large" mails
   ruz 	make sure data is recorded (tests)
   alexmv 	Remove bogus argument to ->get(), which fail on HTTP::Message \ 
>= 5.05
   alexmv 	Ensure that tickets are destroyed before global destruction, in more
   alexmv 	Work around a bug in perl < 5.13.10 with open($fh, \ 
">:raw", \$string)
   sunnavy destroy more tickets and objects before global destruction for modern
   tsibley Remove the "signature" paragraph from the README's \ 
explanation of RT

   3.8.16->3.8.17:
   alexmv 	Ensure that filenames in inline image attributes are HTML-escaped
   alexmv 	Deny direct access to callbacks
   alexmv 	Protect calls to $m->comp with user input in ColumnMap
   alexmv 	Ensure that subjects cannot contain embedded newlines
   alexmv 	Remove filename= suggesions from Content-Disposition lines
   alexmv 	Ensure consistent escaping of filenames in attachment URIs
   alexmv 	Ensure that URLs placed in HTML attributes are escaped correctly, to
   	prevent XSS injection
   alexmv 	Ensure that the default replacement does not pass through unescaped
   	content
   alexmv 	Use File::Temp for non-predictable temporary filenames

Files:
RevisionActionfile
1.51.4.1modifypkgsrc/devel/rt3/Makefile
1.19.6.1modifypkgsrc/devel/rt3/Makefile.install
1.22.4.1modifypkgsrc/devel/rt3/PLIST
1.23.4.1modifypkgsrc/devel/rt3/distinfo