Dear release team,The next Debian Edu release 6.0.5+r1 depends on a security fix in GOsa² (src:package gosa):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665950A new squeeze compliant version of gosa (2.6.11-3+squeeze2) has now been provided by the gosa maintainer.
May I ask you to review the debdiff output below and give your permission for uploading gosa 2.6.11-3+squeeze2 to s-p-u.
Thanks in advance, Mike Gabriel diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog --- gosa-2.6.11/debian/changelog 2012-02-06 13:43:11.000000000 +0100 +++ gosa-2.6.11/debian/changelog 2012-07-02 21:56:21.000000000 +0200 @@ -1,3 +1,9 @@ +gosa (2.6.11-3+squeeze2) stable; urgency=low + + * Backport shellvar escaping code. Closes: #665950. + + -- Cajus Pollmeier <cajus@debian.org> Mon, 11 Jun 2012 13:52:18 +0100 + gosa (2.6.11-3+squeeze1) stable; urgency=low * Fix DHCP host removal. Closes: #650258diff -Nru gosa-2.6.11/debian/patches/14_escape.patch gosa-2.6.11/debian/patches/14_escape.patch --- gosa-2.6.11/debian/patches/14_escape.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.6.11/debian/patches/14_escape.patch 2012-07-02 21:54:37.000000000 +0200
@@ -0,0 +1,18 @@+Description: Allow passwords to contain special chars and still work with hook scripts
+Author: Fabian Hickert <hickert@gonicus.de> +Index: functions.inc +=================================================================== +--- a/gosa-core/include/functions.inc (revision 21128) ++++ b/gosa-core/include/functions.inc (working copy) +@@ -3059,8 +3059,8 @@ + + if ($command != ""){ + /* Walk through attribute list */ +- $command= preg_replace("/%userPassword/", $password, $command); +- $command= preg_replace("/%dn/", $dn, $command);++ $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
++ $command= preg_replace("/%dn/", escapeshellarg($dn), $command); + + if (check_command($command)){+ @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
+ -- DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpvnjzNrWrgf.pgp
Description: Digitale PGP-Unterschrift