From oss-security mailing list at $URL: we (the upstream PostfixAdmin developers) received a report about SQL injections and XSS in PostfixAdmin. The issues are fixed in PostfixAdmin 2.3.5, which I'll release today or tomorrow. For reference, here's the changelog with all details: - fix SQL injection in pacrypt() (if $CONF[encrypt] == 'mysql_encrypt') - fix SQL injection in backup.php - the dump was not mysql_escape()d, therefore users could inject SQL (for example in the vacation message) which will be executed when restoring the database dump. WARNING: database dumps created with backup.php from 2.3.4 or older might contain malicious SQL. Double-check before using them! - fix XSS with $_GET[domain] in templates/menu.php and edit-vacation - fix XSS in some create-domain input fields - fix XSS in create-alias and edit-alias error message - fix XSS (by values stored in the database) in fetchmail list view, list-domain and list-virtual - create-domain: fix SQL injection (only exploitable by superadmins) - add missing $LANG['pAdminDelete_admin_error'] - don't mark mailbox targets with recipient delimiter as "forward only" - wrap hex2bin with function_exists() - PHP 5.3.8 has it as native function
any word on an ebuild version bump for 2.3.5?
*** Bug 410627 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > any word on an ebuild version bump for 2.3.5? Rename the ebuild to 2.3.5 and change the SRC_URI line to the one below: SRC_URI="mirror://sourceforge/projects/${PN}/${PN}/${P}/${PN}_${PV}.tar.gz" Seems to work w/o problems. -Josh
(In reply to comment #3) > (In reply to comment #1) > > any word on an ebuild version bump for 2.3.5? > > Rename the ebuild to 2.3.5 and change the SRC_URI line to the one below: > SRC_URI="mirror://sourceforge/projects/${PN}/${PN}/${P}/${PN}_${PV}.tar.gz" > > Seems to work w/o problems. > > -Josh Heh, wrong SRC_URI, sorry... SRC_URI="mirror://sourceforge/project/${PN}/${PN}/${P}/${PN}-${PV}.tar.gz"
I've cleaned up postfixadmin and have the changes sitting in my checkout. As keeping it that way is a PITA with CVS, I'm gonna commit it in three days if pva/web-apps don't tell me otherwise.
Thanks mabi. Arches, please test and mark stable: =www-apps/postfixadmin-2.3.5 Target KEYWORDS : "amd64 x86"
amd64 stable
x86 stable. Last arch.
@security, please vote.
Thanks, folks. GLSA Vote: yes.
YES too, request filed.
This issue was resolved and addressed in GLSA 201209-18 at http://security.gentoo.org/glsa/glsa-201209-18.xml by GLSA coordinator Sean Amoss (ackle).