[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#682482: unblock: glpi/0.83.31-1

On 2012-07-23 10:56, Pierre Chifflier wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> GLPI 0.83.31 (micro-fix based on 0.83.3) is an important security
> release, fixing two CVEs:
> 
> CVE-2012-4002:
>   Bug #3704: CSRF prevention step 1
>   Bug #3707: CSRF prevention step 2
> 
> CVE-2012-4003:
>   Bug #3705: Security XSS for few items
> 
> https://forge.indepnet.net/projects/glpi/versions/771
> 
> Note: the diff from 0.83.2-1 (current testing) is pretty big, but almost
> all the patch is made of fixes in many files. Trying to backport would
> make no sense imho since it would bring almost everything, and make future
> maintenance even harder.
> 
> Please allow GLPI 0.83.31 in testing.
> 
> Regards,
> Pierre
> 
> unblock glpi/0.83.31-1
> 
> 

Hi,

I am afraid that diff is too much for me to review.  I have tried a
couple of times now and there is lot in there I expect is "unrelated
changes".

I understand that due to #3707, the security fix only will still be a
huge diff.  That said, it is not the Html::closeForm() (i.e. CSRF step
2) that I choke on.  So I would be would be interested in seening the
diff with only the security fixes.

~Niels
Reply to: