Bug#779229: unblock: redmine/3.0~20140825-5

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#779229: unblock: redmine/3.0~20140825-5
From: Antonio Terceiro <terceiro@debian.org>
Date: Wed, 25 Feb 2015 15:28:39 -0300
Message-id: <[🔎] 20150225182839.GA9301@debian.org>
Reply-to: Antonio Terceiro <terceiro@debian.org>, 779229@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package redmine

This version includes a patch for a security issue which has no public
identifier yet.

the debdiff against the package in testing is attached

unblock redmine/3.0~20140825-5

-- System Information:
Debian Release: 8.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru redmine-3.0~20140825/debian/changelog redmine-3.0~20140825/debian/changelog
--- redmine-3.0~20140825/debian/changelog	2015-01-30 14:04:43.000000000 -0200
+++ redmine-3.0~20140825/debian/changelog	2015-02-22 11:35:14.000000000 -0300
@@ -1,3 +1,11 @@
+redmine (3.0~20140825-5) unstable; urgency=high
+
+  * debian/patches/0001-Escape-flash-messages-19117.patch
+    - Fix potential XSS vulnerability with flash messages.
+    - No CVE id assigned yet
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sun, 22 Feb 2015 11:32:27 -0300
+
 redmine (3.0~20140825-4) unstable; urgency=medium
 
   * debian/doc/examples/apache2-passenger-alias.conf: updated example
diff -Nru redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch
--- redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch	1969-12-31 21:00:00.000000000 -0300
+++ redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch	2015-02-22 11:35:14.000000000 -0300
@@ -0,0 +1,45 @@
+From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang@yahoo.fr>
+Date: Tue, 17 Feb 2015 17:47:36 +0000
+Subject: [PATCH] Escape flash messages (#19117).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/account_controller.rb | 2 +-
+ app/controllers/admin_controller.rb   | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/app/controllers/account_controller.rb
++++ b/app/controllers/account_controller.rb
+@@ -290,7 +290,7 @@ class AccountController < ApplicationCon
+     token = Token.new(:user => user, :action => "register")
+     if user.save and token.save
+       Mailer.register(token).deliver
+-      flash[:notice] = l(:notice_account_register_done, :email => user.mail)
++      flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
+       redirect_to signin_path
+     else
+       yield if block_given?
+--- a/app/controllers/admin_controller.rb
++++ b/app/controllers/admin_controller.rb
+@@ -51,7 +51,7 @@ class AdminController < ApplicationContr
+         Redmine::DefaultData::Loader::load(params[:lang])
+         flash[:notice] = l(:notice_default_data_loaded)
+       rescue Exception => e
+-        flash[:error] = l(:error_can_t_load_default_data, e.message)
++        flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
+       end
+     end
+     redirect_to admin_path
+@@ -63,9 +63,9 @@ class AdminController < ApplicationContr
+     ActionMailer::Base.raise_delivery_errors = true
+     begin
+       @test = Mailer.test_email(User.current).deliver
+-      flash[:notice] = l(:notice_email_sent, User.current.mail)
++      flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
+     rescue Exception => e
+-      flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
++      flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
+     end
+     ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
+     redirect_to settings_path(:tab => 'notifications')
diff -Nru redmine-3.0~20140825/debian/patches/series redmine-3.0~20140825/debian/patches/series
--- redmine-3.0~20140825/debian/patches/series	2015-01-30 14:04:43.000000000 -0200
+++ redmine-3.0~20140825/debian/patches/series	2015-02-22 11:35:14.000000000 -0300
@@ -10,3 +10,4 @@
 drop-update_all.patch
 invalidate-language-cache-from-older-versions.diff
 avoid-crash-on-issues.diff
+0001-Escape-flash-messages-19117.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#779229: marked as done (unblock: redmine/3.0~20140825-5)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#774211: freeze exception for binutils 2.25-3
Next by Date: Bug#779234: unblock: iceweasel/31.5.0esr-1
Previous by thread: Bug#776928: Processed: 766960 should really be fixed in jessie ASAP...
Next by thread: Bug#779229: marked as done (unblock: redmine/3.0~20140825-5)
Index(es):
- Date
- Thread