[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

gosa update for s-p-u (highly relevant for the Debian Edu blend)



Dear release team,

The next Debian Edu release 6.0.5+r1 depends on a security fix in GOsa² (src:package gosa):
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665950

A new squeeze compliant version of gosa (2.6.11-3+squeeze2) has now been provided by the gosa maintainer.

May I ask you to review the debdiff output below and give your permission for uploading gosa 2.6.11-3+squeeze2 to s-p-u.

Thanks in advance,
Mike Gabriel


diff -Nru gosa-2.6.11/debian/changelog gosa-2.6.11/debian/changelog
--- gosa-2.6.11/debian/changelog        2012-02-06 13:43:11.000000000 +0100
+++ gosa-2.6.11/debian/changelog        2012-07-02 21:56:21.000000000 +0200
@@ -1,3 +1,9 @@
+gosa (2.6.11-3+squeeze2) stable; urgency=low
+
+  * Backport shellvar escaping code. Closes: #665950.
+
+ -- Cajus Pollmeier <cajus@debian.org>  Mon, 11 Jun 2012 13:52:18 +0100
+
 gosa (2.6.11-3+squeeze1) stable; urgency=low

   * Fix DHCP host removal. Closes: #650258
diff -Nru gosa-2.6.11/debian/patches/14_escape.patch gosa-2.6.11/debian/patches/14_escape.patch --- gosa-2.6.11/debian/patches/14_escape.patch 1970-01-01 01:00:00.000000000 +0100 +++ gosa-2.6.11/debian/patches/14_escape.patch 2012-07-02 21:54:37.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Allow passwords to contain special chars and still work with hook scripts
+Author: Fabian Hickert <hickert@gonicus.de>
+Index: functions.inc
+===================================================================
+--- a/gosa-core/include/functions.inc  (revision 21128)
++++ b/gosa-core/include/functions.inc  (working copy)
+@@ -3059,8 +3059,8 @@
+
+       if ($command != ""){
+         /* Walk through attribute list */
+-        $command= preg_replace("/%userPassword/", $password, $command);
+-        $command= preg_replace("/%dn/", $dn, $command);
++ $command= preg_replace("/%userPassword/", escapeshellarg($password), $command);
++        $command= preg_replace("/%dn/", escapeshellarg($dn), $command);
+
+         if (check_command($command)){
+ @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
+


--

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0xB588399B
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

Attachment: pgpvnjzNrWrgf.pgp
Description: Digitale PGP-Unterschrift


Reply to: