Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package redmine This version includes a patch for a security issue which has no public identifier yet. the debdiff against the package in testing is attached unblock redmine/3.0~20140825-5 -- System Information: Debian Release: 8.0 APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Antonio Terceiro <terceiro@debian.org>
diff -Nru redmine-3.0~20140825/debian/changelog redmine-3.0~20140825/debian/changelog --- redmine-3.0~20140825/debian/changelog 2015-01-30 14:04:43.000000000 -0200 +++ redmine-3.0~20140825/debian/changelog 2015-02-22 11:35:14.000000000 -0300 @@ -1,3 +1,11 @@ +redmine (3.0~20140825-5) unstable; urgency=high + + * debian/patches/0001-Escape-flash-messages-19117.patch + - Fix potential XSS vulnerability with flash messages. + - No CVE id assigned yet + + -- Antonio Terceiro <terceiro@debian.org> Sun, 22 Feb 2015 11:32:27 -0300 + redmine (3.0~20140825-4) unstable; urgency=medium * debian/doc/examples/apache2-passenger-alias.conf: updated example diff -Nru redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch --- redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch 1969-12-31 21:00:00.000000000 -0300 +++ redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch 2015-02-22 11:35:14.000000000 -0300 @@ -0,0 +1,45 @@ +From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Lang <jp_lang@yahoo.fr> +Date: Tue, 17 Feb 2015 17:47:36 +0000 +Subject: [PATCH] Escape flash messages (#19117). + +git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81 +--- + app/controllers/account_controller.rb | 2 +- + app/controllers/admin_controller.rb | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/app/controllers/account_controller.rb ++++ b/app/controllers/account_controller.rb +@@ -290,7 +290,7 @@ class AccountController < ApplicationCon + token = Token.new(:user => user, :action => "register") + if user.save and token.save + Mailer.register(token).deliver +- flash[:notice] = l(:notice_account_register_done, :email => user.mail) ++ flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail)) + redirect_to signin_path + else + yield if block_given? +--- a/app/controllers/admin_controller.rb ++++ b/app/controllers/admin_controller.rb +@@ -51,7 +51,7 @@ class AdminController < ApplicationContr + Redmine::DefaultData::Loader::load(params[:lang]) + flash[:notice] = l(:notice_default_data_loaded) + rescue Exception => e +- flash[:error] = l(:error_can_t_load_default_data, e.message) ++ flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message)) + end + end + redirect_to admin_path +@@ -63,9 +63,9 @@ class AdminController < ApplicationContr + ActionMailer::Base.raise_delivery_errors = true + begin + @test = Mailer.test_email(User.current).deliver +- flash[:notice] = l(:notice_email_sent, User.current.mail) ++ flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail)) + rescue Exception => e +- flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)) ++ flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))) + end + ActionMailer::Base.raise_delivery_errors = raise_delivery_errors + redirect_to settings_path(:tab => 'notifications') diff -Nru redmine-3.0~20140825/debian/patches/series redmine-3.0~20140825/debian/patches/series --- redmine-3.0~20140825/debian/patches/series 2015-01-30 14:04:43.000000000 -0200 +++ redmine-3.0~20140825/debian/patches/series 2015-02-22 11:35:14.000000000 -0300 @@ -10,3 +10,4 @@ drop-update_all.patch invalidate-language-cache-from-older-versions.diff avoid-crash-on-issues.diff +0001-Escape-flash-messages-19117.patch
Attachment:
signature.asc
Description: Digital signature