- Update net/isc-dhcp41-server to 4.1-ESV-R6 [1]

- Document vulnerabilities in net/isc-dhcp41-server - Cleanup formatting in vuxml PR: ports/170245 [1] Submitted by: Douglas Thrift <douglas@douglasthrift.net> (maintainer) [1] Security: c7fa3618-d5ff-11e1-90a2-000c299b62e1
svn path=/head/; revision=301716
2012-07-30 12:42:32 +00:00 · 2012-07-30 12:42:32 +00:00 · 8e1a9e3a0b · 2021-03-31 03:12:20 +00:00
commit 8e1a9e3a0b
parent 4f0b31d350
3 changed files with 33 additions and 29 deletions
--- a/net/isc-dhcp41-server/Makefile
+++ b/net/isc-dhcp41-server/Makefile
@ -21,10 +21,10 @@ COMMENT?=	The ISC Dynamic Host Configuration Protocol server

 LICENSE=	ISCL

-PATCHLEVEL=	R5
-PORTREVISION_SERVER=	4
-PORTREVISION_CLIENT=	1
-PORTREVISION_RELAY=	4
+PATCHLEVEL=	R6
+PORTREVISION_SERVER=	5
+PORTREVISION_CLIENT=	2
+PORTREVISION_RELAY=	5

 SUBSYS?=	server
 WRKSRC=		${WRKDIR}/${PORTNAME}-${DISTVERSION}-${PATCHLEVEL}
--- a/net/isc-dhcp41-server/distinfo
+++ b/net/isc-dhcp41-server/distinfo
@ -1,4 +1,4 @@
-SHA256 (dhcp-4.1-ESV-R5.tar.gz) = c028fd6f9c1fff38fd0ae21cc89a70912e0eb759ea1019fb25b145cf14527583
-SIZE (dhcp-4.1-ESV-R5.tar.gz) = 1120684
+SHA256 (dhcp-4.1-ESV-R6.tar.gz) = deb666a1ab02dd1375c0ebd237ce1fcb3e4d9e7be520d25ba25f1f40eb0ead9e
+SIZE (dhcp-4.1-ESV-R6.tar.gz) = 1121186
 SHA256 (ldap-for-dhcp-4.1.1-2.tar.gz) = 566b7be2ebefdc583d0bf0095c804ba69807b67e5cc29a2b64b1b39202b37d0d
 SIZE (ldap-for-dhcp-4.1.1-2.tar.gz) = 39004
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@ -67,28 +67,28 @@ Note:  Please add new entries to the beginning of this file.
 	<h1>A Bugzilla Security Advisory reports:</h1>
 	<blockquote cite="http://www.bugzilla.org/security/3.6.9/">
 	  <p>The following security issues have been discovered in
-	    Bugzilla:</p>
+	     Bugzilla:</p>
 	  <h1>Information Leak</h1>
 	  <p>Versions: 4.1.1 to 4.2.1, 4.3.1</p>
 	  <p>In HTML bugmails, all bug IDs and attachment IDs are
-	   linkified, and hovering these links displays a tooltip
-	   with the bug summary or the attachment description if
-	   the user is allowed to see the bug or attachment.
-	   But when validating user permissions when generating the
-	   email, the permissions of the user who edited the bug were
-	   taken into account instead of the permissions of the
-	   addressee. This means that confidential information could
-	   be disclosed to the addressee if the other user has more
-	   privileges than the addressee.
-	   Plain text bugmails are not affected as bug and attachment
-	   IDs are not linkified.</p>
+	     linkified, and hovering these links displays a tooltip
+	     with the bug summary or the attachment description if
+	     the user is allowed to see the bug or attachment.
+	     But when validating user permissions when generating the
+	     email, the permissions of the user who edited the bug were
+	     taken into account instead of the permissions of the
+	     addressee. This means that confidential information could
+	     be disclosed to the addressee if the other user has more
+	     privileges than the addressee.
+	     Plain text bugmails are not affected as bug and attachment
+	     IDs are not linkified.</p>
 	  <h1>Information Leak</h1>
-           <p>Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to
-            4.2.1, 4.3.1</p>
+          <p>Versions: 2.17.5 to 3.6.9, 3.7.1 to 4.0.6, 4.1.1 to
+              4.2.1, 4.3.1</p>
 	  <p>The description of a private attachment could be visible
-	   to a user who hasn't permissions to access this attachment
-	   if the attachment ID is mentioned in a public comment in
-	   a bug that the user can see.</p>
+	     to a user who hasn't permissions to access this attachment
+	     if the attachment ID is mentioned in a public comment in
+	     a bug that the user can see.</p>
 	</blockquote>
      </body>
    </description>
@ -176,13 +176,13 @@ Note:  Please add new entries to the beginning of this file.
 	<p>The RT development team reports:</p>
 	<blockquote cite="http://blog.bestpractical.com/2012/07/security-vulnerabilities-in-three-commonly-deployed-rt-extensions.html">
 	  <p>RT::Authen::ExternalAuth 0.10 and below (for all versions
-	  of RT) are vulnerable to an escalation of privilege attack
-	  where the URL of a RSS feed of the user can be used to
-	  acquire a fully logged-in session as that user.
-	  CVE-2012-2770 has been assigned to this vulnerability.</p>
+	     of RT) are vulnerable to an escalation of privilege attack
+	     where the URL of a RSS feed of the user can be used to
+	     acquire a fully logged-in session as that user.
+	     CVE-2012-2770 has been assigned to this vulnerability.</p>
 	  <p>Users of RT 3.8.2 and above should upgrade to
-	  RT::Authen::ExternalAuth 0.11, which resolves this
-	  vulnerability.</p>
+	     RT::Authen::ExternalAuth 0.11, which resolves this
+	     vulnerability.</p>
 	</blockquote>
      </body>
    </description>
@ -199,6 +199,10 @@ Note:  Please add new entries to the beginning of this file.
  <vuln vid="c7fa3618-d5ff-11e1-90a2-000c299b62e1">
    <topic>isc-dhcp -- multiple vulnerabilities</topic>
    <affects>
+      <package>
+	<name>isc-dhcp41-server</name>
+	<range><lt>4.1.e_5,2</lt></range>
+      </package>
      <package>
 	<name>isc-dhcp42-server</name>
 	<range><lt>4.2.4_1</lt></range>