Your message dated Wed, 25 Feb 2015 19:20:19 +0000 with message-id <1424892019.20407.7.camel@adam-barratt.org.uk> and subject line Re: Bug#779229: unblock: redmine/3.0~20140825-5 has caused the Debian Bug report #779229, regarding unblock: redmine/3.0~20140825-5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 779229: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779229 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: redmine/3.0~20140825-5
- From: Antonio Terceiro <terceiro@debian.org>
- Date: Wed, 25 Feb 2015 15:28:39 -0300
- Message-id: <[🔎] 20150225182839.GA9301@debian.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package redmine This version includes a patch for a security issue which has no public identifier yet. the debdiff against the package in testing is attached unblock redmine/3.0~20140825-5 -- System Information: Debian Release: 8.0 APT prefers buildd-unstable APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Antonio Terceiro <terceiro@debian.org>diff -Nru redmine-3.0~20140825/debian/changelog redmine-3.0~20140825/debian/changelog --- redmine-3.0~20140825/debian/changelog 2015-01-30 14:04:43.000000000 -0200 +++ redmine-3.0~20140825/debian/changelog 2015-02-22 11:35:14.000000000 -0300 @@ -1,3 +1,11 @@ +redmine (3.0~20140825-5) unstable; urgency=high + + * debian/patches/0001-Escape-flash-messages-19117.patch + - Fix potential XSS vulnerability with flash messages. + - No CVE id assigned yet + + -- Antonio Terceiro <terceiro@debian.org> Sun, 22 Feb 2015 11:32:27 -0300 + redmine (3.0~20140825-4) unstable; urgency=medium * debian/doc/examples/apache2-passenger-alias.conf: updated example diff -Nru redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch --- redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch 1969-12-31 21:00:00.000000000 -0300 +++ redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch 2015-02-22 11:35:14.000000000 -0300 @@ -0,0 +1,45 @@ +From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001 +From: Jean-Philippe Lang <jp_lang@yahoo.fr> +Date: Tue, 17 Feb 2015 17:47:36 +0000 +Subject: [PATCH] Escape flash messages (#19117). + +git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81 +--- + app/controllers/account_controller.rb | 2 +- + app/controllers/admin_controller.rb | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/app/controllers/account_controller.rb ++++ b/app/controllers/account_controller.rb +@@ -290,7 +290,7 @@ class AccountController < ApplicationCon + token = Token.new(:user => user, :action => "register") + if user.save and token.save + Mailer.register(token).deliver +- flash[:notice] = l(:notice_account_register_done, :email => user.mail) ++ flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail)) + redirect_to signin_path + else + yield if block_given? +--- a/app/controllers/admin_controller.rb ++++ b/app/controllers/admin_controller.rb +@@ -51,7 +51,7 @@ class AdminController < ApplicationContr + Redmine::DefaultData::Loader::load(params[:lang]) + flash[:notice] = l(:notice_default_data_loaded) + rescue Exception => e +- flash[:error] = l(:error_can_t_load_default_data, e.message) ++ flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message)) + end + end + redirect_to admin_path +@@ -63,9 +63,9 @@ class AdminController < ApplicationContr + ActionMailer::Base.raise_delivery_errors = true + begin + @test = Mailer.test_email(User.current).deliver +- flash[:notice] = l(:notice_email_sent, User.current.mail) ++ flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail)) + rescue Exception => e +- flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)) ++ flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))) + end + ActionMailer::Base.raise_delivery_errors = raise_delivery_errors + redirect_to settings_path(:tab => 'notifications') diff -Nru redmine-3.0~20140825/debian/patches/series redmine-3.0~20140825/debian/patches/series --- redmine-3.0~20140825/debian/patches/series 2015-01-30 14:04:43.000000000 -0200 +++ redmine-3.0~20140825/debian/patches/series 2015-02-22 11:35:14.000000000 -0300 @@ -10,3 +10,4 @@ drop-update_all.patch invalidate-language-cache-from-older-versions.diff avoid-crash-on-issues.diff +0001-Escape-flash-messages-19117.patchAttachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: Antonio Terceiro <terceiro@debian.org>, 779229-done@bugs.debian.org
- Subject: Re: Bug#779229: unblock: redmine/3.0~20140825-5
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Wed, 25 Feb 2015 19:20:19 +0000
- Message-id: <1424892019.20407.7.camel@adam-barratt.org.uk>
- In-reply-to: <[🔎] 20150225182839.GA9301@debian.org>
- References: <[🔎] 20150225182839.GA9301@debian.org>
On Wed, 2015-02-25 at 15:28 -0300, Antonio Terceiro wrote: > Please unblock package redmine > > This version includes a patch for a security issue which has no public > identifier yet. Unblocked. Regards, Adam
--- End Message ---