Bug#698925: marked as done (unblock: glpi/0.83.31-2)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#698925: marked as done (unblock: glpi/0.83.31-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 17 Mar 2013 16:33:10 +0000
Message-id: <[🔎] handler.698925.D698925.136353774116392.ackdone@bugs.debian.org>
References: <5145EF45.6070608@thykier.net> <20130125105127.16948.74780.reportbug@ks26688.kimsufi.com>

Your message dated Sun, 17 Mar 2013 17:28:53 +0100
with message-id <5145EF45.6070608@thykier.net>
and subject line Re: Bug#698925: unblock: glpi/0.83.31-2
has caused the Debian Bug report #698925,
regarding unblock: glpi/0.83.31-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
698925: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698925
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: glpi/0.83.31-2
From: Pierre Chifflier <pollux@debian.org>
Date: Fri, 25 Jan 2013 11:51:27 +0100
Message-id: <20130125105127.16948.74780.reportbug@ks26688.kimsufi.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package glpi

This fixes a security issue, and should allow glpi not to be removed
from wheezy.

Changelog:
 glpi (0.83.31-2) unstable; urgency=high
 .
   * Security fixes:
     Replace embedded copy of extjs by Debian package, the embedded one
     contains a flash file built with a vulnerable version of yui
(charts.swf).
     (Closes: #694642)
   * Urgency high, this is a RC bug

Full debdiff attached.

Regards,
Pierre

unblock glpi/0.83.31-2

-- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32.55.pollux-grsec (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru glpi-0.83.31/debian/changelog glpi-0.83.31/debian/changelog
--- glpi-0.83.31/debian/changelog	2012-07-22 21:47:52.000000000 +0200
+++ glpi-0.83.31/debian/changelog	2013-01-25 11:37:11.000000000 +0100
@@ -1,3 +1,13 @@
+glpi (0.83.31-2) unstable; urgency=high
+
+  * Security fixes:
+    Replace embedded copy of extjs by Debian package, the embedded one
+    contains a flash file built with a vulnerable version of yui (charts.swf).
+    (Closes: #694642)
+  * Urgency high, this is a RC bug
+
+ -- Pierre Chifflier <pollux@debian.org>  Fri, 25 Jan 2013 11:37:09 +0100
+
 glpi (0.83.31-1) unstable; urgency=medium
 
   * Imported Upstream version 0.83.31
diff -Nru glpi-0.83.31/debian/control glpi-0.83.31/debian/control
--- glpi-0.83.31/debian/control	2012-03-10 11:37:14.000000000 +0100
+++ glpi-0.83.31/debian/control	2013-01-25 11:32:56.000000000 +0100
@@ -15,6 +15,7 @@
     ttf-freefont,
     tinymce,
     libphp-phpmailer,
+    libjs-extjs,
     ${misc:Depends}
 Description: IT and Asset management software
  GLPI stands for "Gestionnaire libre de parc informatique",
diff -Nru glpi-0.83.31/debian/rules glpi-0.83.31/debian/rules
--- glpi-0.83.31/debian/rules	2012-04-28 16:58:14.000000000 +0200
+++ glpi-0.83.31/debian/rules	2013-01-25 11:34:15.000000000 +0100
@@ -67,6 +67,8 @@
 	rm -rf $(DESTDIR)/usr/share/glpi/lib/phpcas
 	rm -rf $(DESTDIR)/usr/share/glpi/lib/tiny_mce
 	rm -rf $(DESTDIR)/usr/share/glpi/lib/phpmailer
+	rm -rf $(DESTDIR)/usr/share/glpi/lib/extjs; \
+	ln -s /usr/share/javascript/extjs $(DESTDIR)/usr/share/glpi/lib/extjs
 
 build-arch: build
 build-indep: build

--- End Message ---

--- Begin Message ---

To: 698925-done@bugs.debian.org

Cc: Pierre Chifflier <pollux@debian.org>, Christian PERRIER <bubulle@debian.org>

Subject: Re: Bug#698925: unblock: glpi/0.83.31-2

From: Niels Thykier <niels@thykier.net>

Date: Sun, 17 Mar 2013 17:28:53 +0100

Message-id: <5145EF45.6070608@thykier.net>

In-reply-to: <[🔎] 5137A90C.4050701@thykier.net>

References: <20130125105127.16948.74780.reportbug@ks26688.kimsufi.com> <51026A84.30903@thykier.net> <20130125115815.GC27219@mail.wzdftpd.net> <20130125175746.GO5723@mykerinos.kheops.frmug.org> <5103CE9D.3060000@thykier.net> <20130219192151.GG27219@mail.wzdftpd.net> <[🔎] 5137A90C.4050701@thykier.net>
On 2013-03-06 21:37, Niels Thykier wrote:
> [...]
> 
> #694642 got downgraded since last time I looged.  I have to admit that I
> am considering to just "ignore" the embedded swf issue Wheezy[1] and
> call this a day.  I know it is not as satisfying for you (or me for that
> matter), but I think it is the pragmatic thing to do here.
>   That said, you can just upload that version to sid; if we change our
> minds the fixed version will have had a bit more time in sid.  And if
> not, then the bug is at least fixed in the start of Jessie.
> 
> ~Niels
> 
> [1] We already got a few "DFSG-incompatible JSON" issues that won't be
> fixed in Wheezy.
> 
> 

Seems like no one disagreed, so closing.

~Niels
--- End Message ---

Reply to:

Prev by Date: Bug#702458: unblock: xcp-xapi - urgent documentation fixes
Next by Date: Bug#702458: unblock: xcp-xapi - urgent documentation fixes
Previous by thread: Bug#685663: marked as done (unblock nordugrid-arc/2.0.0-3)
Next by thread: Bug#703257: RM: libnet-twitter-lite-perl/0.11002-1
Index(es):
- Date
- Thread