diff options
| author | Jason Unovitch <junovitch@FreeBSD.org> | 2016-06-10 01:17:30 +0000 |
|---|---|---|
| committer | Jason Unovitch <junovitch@FreeBSD.org> | 2016-06-10 01:17:30 +0000 |
| commit | 0f7982a4fde339171ac73804d8b30ec82b04fff4 (patch) | |
| tree | 168a380431a9b32ee8384efcad32077fb3e41333 | |
| parent | 9d25bb61490c00216a11c9eacec28001612f3e1f (diff) | |
| download | ports-0f7982a4fde339171ac73804d8b30ec82b04fff4.tar.gz ports-0f7982a4fde339171ac73804d8b30ec82b04fff4.zip | |
MFH: r414979 r416648
Update to 1.1.5 release.
Apply patch from upstream for cross-site scripting vulnerability
PR: 209841
Reported by: Vladimir Krstulja <vlad-fbsd@acheronmedia.com>
Approved by: maintainer timeout (2 weeks)
Security: CVE-2016-5103
Security: https://vuxml.FreeBSD.org/freebsd/97e86d10-2ea7-11e6-ae88-002590263bf5.html
Approved by: ports-secteam (with hat)
Notes
Notes:
svn path=/branches/2016Q2/; revision=416649
| -rw-r--r-- | mail/roundcube/Makefile | 6 | ||||
| -rw-r--r-- | mail/roundcube/distinfo | 4 | ||||
| -rw-r--r-- | mail/roundcube/files/patch-CVE-2016-5103 | 19 |
3 files changed, 24 insertions, 5 deletions
diff --git a/mail/roundcube/Makefile b/mail/roundcube/Makefile index 264930d39e4b..b2a712698a9c 100644 --- a/mail/roundcube/Makefile +++ b/mail/roundcube/Makefile @@ -1,11 +1,11 @@ # $FreeBSD$ PORTNAME= roundcube -DISTVERSION= 1.1.4 +DISTVERSION= 1.1.5 PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES?= mail www -MASTER_SITES= SF/${PORTNAME}mail/${PORTNAME}mail/${DISTVERSION:tu} +MASTER_SITES= https://github.com/roundcube/roundcubemail/releases/download/${DISTVERSION}/ DISTNAME= ${PORTNAME}mail-${DISTVERSION}-complete MAINTAINER?= ale@FreeBSD.org @@ -25,7 +25,7 @@ CPE_VENDOR= roundcube WANT_PHP_WEB= yes USE_PHP= pcre mbstring session iconv dom xml json intl zip filter -IGNORE_WITH_PHP=52 +IGNORE_WITH_PHP=70 OPTIONS_DEFINE= SSL LDAP GD PSPELL NSC DOCS OPTIONS_SINGLE= DB diff --git a/mail/roundcube/distinfo b/mail/roundcube/distinfo index dcf8999fdff9..25ee7e4fda6f 100644 --- a/mail/roundcube/distinfo +++ b/mail/roundcube/distinfo @@ -1,2 +1,2 @@ -SHA256 (roundcubemail-1.1.4-complete.tar.gz) = 9bfe88255d4ffc288f5776de1cead78352469b1766d5ebaebe6e28043affe181 -SIZE (roundcubemail-1.1.4-complete.tar.gz) = 4578600 +SHA256 (roundcubemail-1.1.5-complete.tar.gz) = 476a1d45b0592b2ad43e3e08cbc72e69ef31e33ed8a8f071f02e5a1ae3e7f334 +SIZE (roundcubemail-1.1.5-complete.tar.gz) = 4581781 diff --git a/mail/roundcube/files/patch-CVE-2016-5103 b/mail/roundcube/files/patch-CVE-2016-5103 new file mode 100644 index 000000000000..0014f6676fb8 --- /dev/null +++ b/mail/roundcube/files/patch-CVE-2016-5103 @@ -0,0 +1,19 @@ +commit 6652367d656de7e5f404935be04e10aa281add53 +Author: Aleksander Machniak <alec@alec.pl> +Date: Fri May 6 08:28:15 2016 +0200 + + Fix XSS issue in href attribute on area tag (#5240, #5241) + +diff --git a/program/lib/Roundcube/rcube_washtml.php b/program/lib/Roundcube/rcube_washtml.php +index 5938d9b..d03f04a 100644 +--- program/lib/Roundcube/rcube_washtml.php ++++ program/lib/Roundcube/rcube_washtml.php +@@ -370,7 +370,7 @@ class rcube_washtml + */ + private function is_link_attribute($tag, $attr) + { +- return $tag == 'a' && $attr == 'href'; ++ return ($tag == 'a' || $tag == 'area') && $attr == 'href'; + } + + /** |