[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779229: marked as done (unblock: redmine/3.0~20140825-5)

Your message dated Wed, 25 Feb 2015 19:20:19 +0000
with message-id <1424892019.20407.7.camel@adam-barratt.org.uk>
and subject line Re: Bug#779229: unblock: redmine/3.0~20140825-5
has caused the Debian Bug report #779229,
regarding unblock: redmine/3.0~20140825-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779229: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779229
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package redmine

This version includes a patch for a security issue which has no public
identifier yet.

the debdiff against the package in testing is attached

unblock redmine/3.0~20140825-5

-- System Information:
Debian Release: 8.0
  APT prefers buildd-unstable
  APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Antonio Terceiro <terceiro@debian.org>

diff -Nru redmine-3.0~20140825/debian/changelog redmine-3.0~20140825/debian/changelog
--- redmine-3.0~20140825/debian/changelog	2015-01-30 14:04:43.000000000 -0200
+++ redmine-3.0~20140825/debian/changelog	2015-02-22 11:35:14.000000000 -0300
@@ -1,3 +1,11 @@
+redmine (3.0~20140825-5) unstable; urgency=high
+
+  * debian/patches/0001-Escape-flash-messages-19117.patch
+    - Fix potential XSS vulnerability with flash messages.
+    - No CVE id assigned yet
+
+ -- Antonio Terceiro <terceiro@debian.org>  Sun, 22 Feb 2015 11:32:27 -0300
+
 redmine (3.0~20140825-4) unstable; urgency=medium
 
   * debian/doc/examples/apache2-passenger-alias.conf: updated example
diff -Nru redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch
--- redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch	1969-12-31 21:00:00.000000000 -0300
+++ redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch	2015-02-22 11:35:14.000000000 -0300
@@ -0,0 +1,45 @@
+From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang@yahoo.fr>
+Date: Tue, 17 Feb 2015 17:47:36 +0000
+Subject: [PATCH] Escape flash messages (#19117).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/account_controller.rb | 2 +-
+ app/controllers/admin_controller.rb   | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/app/controllers/account_controller.rb
++++ b/app/controllers/account_controller.rb
+@@ -290,7 +290,7 @@ class AccountController < ApplicationCon
+     token = Token.new(:user => user, :action => "register")
+     if user.save and token.save
+       Mailer.register(token).deliver
+-      flash[:notice] = l(:notice_account_register_done, :email => user.mail)
++      flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
+       redirect_to signin_path
+     else
+       yield if block_given?
+--- a/app/controllers/admin_controller.rb
++++ b/app/controllers/admin_controller.rb
+@@ -51,7 +51,7 @@ class AdminController < ApplicationContr
+         Redmine::DefaultData::Loader::load(params[:lang])
+         flash[:notice] = l(:notice_default_data_loaded)
+       rescue Exception => e
+-        flash[:error] = l(:error_can_t_load_default_data, e.message)
++        flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
+       end
+     end
+     redirect_to admin_path
+@@ -63,9 +63,9 @@ class AdminController < ApplicationContr
+     ActionMailer::Base.raise_delivery_errors = true
+     begin
+       @test = Mailer.test_email(User.current).deliver
+-      flash[:notice] = l(:notice_email_sent, User.current.mail)
++      flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
+     rescue Exception => e
+-      flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
++      flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
+     end
+     ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
+     redirect_to settings_path(:tab => 'notifications')
diff -Nru redmine-3.0~20140825/debian/patches/series redmine-3.0~20140825/debian/patches/series
--- redmine-3.0~20140825/debian/patches/series	2015-01-30 14:04:43.000000000 -0200
+++ redmine-3.0~20140825/debian/patches/series	2015-02-22 11:35:14.000000000 -0300
@@ -10,3 +10,4 @@
 drop-update_all.patch
 invalidate-language-cache-from-older-versions.diff
 avoid-crash-on-issues.diff
+0001-Escape-flash-messages-19117.patch

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Wed, 2015-02-25 at 15:28 -0300, Antonio Terceiro wrote:
> Please unblock package redmine
> 
> This version includes a patch for a security issue which has no public
> identifier yet.

Unblocked.

Regards,

Adam

--- End Message ---
Reply to: