Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mail.NetBSD.org", Issuer "Postmaster NetBSD.org" (verified OK)) by mollari.NetBSD.org (Postfix) with ESMTPS id 30DE070C9D for ; Sun, 26 May 2013 16:55:58 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id 7208814A220; Sun, 26 May 2013 16:55:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id AD05B14A21D for ; Sun, 26 May 2013 16:55:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id 5hSWnfWqibFE for ; Sun, 26 May 2013 16:55:54 +0000 (UTC) Received: from ivanova.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id D617D14A1E5 for ; Sun, 26 May 2013 16:55:53 +0000 (UTC) Received: by ivanova.netbsd.org (Postfix, from userid 500) id CA46F92; Sun, 26 May 2013 16:55:53 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Sun, 26 May 2013 16:55:53 +0000 From: "S.P.Zeidler" Subject: CVS commit: pkgsrc/devel/rt3 To: pkgsrc-changes@NetBSD.org Reply-To: spz@netbsd.org X-Mailer: log_accum Message-Id: <20130526165553.CA46F92@ivanova.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: spz Date: Sun May 26 16:55:53 UTC 2013 Modified Files: pkgsrc/devel/rt3: Makefile Makefile.install PLIST distinfo Log Message: security update for RT3, fixing: CVE-2013-3368 CVE-2013-3369 CVE-2013-3370 CVE-2013-3371 CVE-2013-3372 CVE-2013-3373 CVE-2013-3374 It also includes a database upgrade, so please make sure to run `make upgrade-database`. Changes in detail are: 3.8.15->3.8.16: ruz stop RT from locking on "large" mails ruz make sure data is recorded (tests) alexmv Remove bogus argument to ->get(), which fail on HTTP::Message >= 5.05 alexmv Ensure that tickets are destroyed before global destruction, in more alexmv Work around a bug in perl < 5.13.10 with open($fh, ">:raw", \$string) sunnavy destroy more tickets and objects before global destruction for modern tsibley Remove the "signature" paragraph from the README's explanation of RT 3.8.16->3.8.17: alexmv Ensure that filenames in inline image attributes are HTML-escaped alexmv Deny direct access to callbacks alexmv Protect calls to $m->comp with user input in ColumnMap alexmv Ensure that subjects cannot contain embedded newlines alexmv Remove filename= suggesions from Content-Disposition lines alexmv Ensure consistent escaping of filenames in attachment URIs alexmv Ensure that URLs placed in HTML attributes are escaped correctly, to prevent XSS injection alexmv Ensure that the default replacement does not pass through unescaped content alexmv Use File::Temp for non-predictable temporary filenames To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 pkgsrc/devel/rt3/Makefile cvs rdiff -u -r1.19 -r1.20 pkgsrc/devel/rt3/Makefile.install cvs rdiff -u -r1.22 -r1.23 pkgsrc/devel/rt3/PLIST cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/rt3/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.