CVS commit: pkgsrc/devel/rt3

["S.P.Zeidler" <spz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   spz
Date:           Sun May 26 16:55:53 UTC 2013

Modified Files:
        pkgsrc/devel/rt3: Makefile Makefile.install PLIST distinfo

Log Message:
security update for RT3, fixing:

    CVE-2013-3368
    CVE-2013-3369
    CVE-2013-3370
    CVE-2013-3371
    CVE-2013-3372
    CVE-2013-3373
    CVE-2013-3374

It also includes a database upgrade, so please make sure to run `make
upgrade-database`.

Changes in detail are:
3.8.15->3.8.16:
ruz     stop RT from locking on "large" mails
ruz     make sure data is recorded (tests)
alexmv  Remove bogus argument to ->get(), which fail on HTTP::Message >= 5.05
alexmv  Ensure that tickets are destroyed before global destruction, in more
alexmv  Work around a bug in perl < 5.13.10 with open($fh, ">:raw", \$string)
sunnavy destroy more tickets and objects before global destruction for modern
tsibley Remove the "signature" paragraph from the README's explanation of RT

3.8.16->3.8.17:
alexmv  Ensure that filenames in inline image attributes are HTML-escaped
alexmv  Deny direct access to callbacks
alexmv  Protect calls to $m->comp with user input in ColumnMap
alexmv  Ensure that subjects cannot contain embedded newlines
alexmv  Remove filename= suggesions from Content-Disposition lines
alexmv  Ensure consistent escaping of filenames in attachment URIs
alexmv  Ensure that URLs placed in HTML attributes are escaped correctly, to
        prevent XSS injection
alexmv  Ensure that the default replacement does not pass through unescaped
        content
alexmv  Use File::Temp for non-predictable temporary filenames


To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 pkgsrc/devel/rt3/Makefile
cvs rdiff -u -r1.19 -r1.20 pkgsrc/devel/rt3/Makefile.install
cvs rdiff -u -r1.22 -r1.23 pkgsrc/devel/rt3/PLIST
cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/rt3/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.