Bug#785386: jessie-pu: package php-horde/5.2.1+debian0-2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
php-horde in Jessie has an XSS security bug (#785364).
I plan to fix in thru -updates.
Debdiff attached.
Regards
Mathieu Parent
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From 4b855a205b0c33f91a908d070d7848100ef4697a Mon Sep 17 00:00:00 2001
From: Mathieu Parent <math.parent@gmail.com>
Date: Fri, 15 May 2015 11:38:49 +0200
Subject: [PATCH] Fix XSS in group administration (Closes: #785364)
---
debian/changelog | 6 ++++++
.../0003-Fix-XSS-in-group-administration.patch | 23 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 30 insertions(+)
create mode 100644 debian/patches/0003-Fix-XSS-in-group-administration.patch
diff --git a/debian/changelog b/debian/changelog
index 2796877..b801a8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium
+
+ * Fix XSS in group administration (Closes: #785364)
+
+ -- Mathieu Parent <sathieu@debian.org> Fri, 15 May 2015 17:14:33 +0200
+
php-horde (5.2.1+debian0-2) unstable; urgency=medium
* Update Standards-Version, no change
diff --git a/debian/patches/0003-Fix-XSS-in-group-administration.patch b/debian/patches/0003-Fix-XSS-in-group-administration.patch
new file mode 100644
index 0000000..f318a40
--- /dev/null
+++ b/debian/patches/0003-Fix-XSS-in-group-administration.patch
@@ -0,0 +1,23 @@
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Tue, 5 May 2015 21:56:08 +0200
+Subject: Fix XSS in group administration
+
+Origin: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
+Author: Jan Schneider <jan@horde.org>
+---
+ horde-5.2.1/admin/groups.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/horde-5.2.1/admin/groups.php b/horde-5.2.1/admin/groups.php
+index 3a3fa48..0423531 100644
+--- a/horde-5.2.1/admin/groups.php
++++ b/horde-5.2.1/admin/groups.php
+@@ -211,7 +211,7 @@ foreach ($nodes as $id => $node) {
+ $tree->addNode(array(
+ 'id' => $id,
+ 'parent' => null,
+- 'label' => $node,
++ 'label' => htmlspecialchars($node),
+ 'expanded' => false,
+ 'params' => $group_node + $node_params,
+ 'right' => array($spacer, $delete_link)
diff --git a/debian/patches/series b/debian/patches/series
index 8e6d7d8..df54592 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0002-Fix-rewrite-base.patch
+0003-Fix-XSS-in-group-administration.patch
--
2.1.4
Reply to: