Bug#785386: marked as done (jessie-pu: package php-horde/5.2.1+debian0-2)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#785386: marked as done (jessie-pu: package php-horde/5.2.1+debian0-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 06 Jun 2015 12:17:15 +0000
Message-id: <[🔎] handler.785386.D785386.143359269026369.ackdone@bugs.debian.org>
References: <1433592671.2987.12.camel@adam-barratt.org.uk> <20150515151635.32598.84967.reportbug@ultrathieu.sathieu.net>

Your message dated Sat, 06 Jun 2015 13:11:11 +0100
with message-id <1433592671.2987.12.camel@adam-barratt.org.uk>
and subject line Fix released with 8.1 point release
has caused the Debian Bug report #785386,
regarding jessie-pu: package php-horde/5.2.1+debian0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
785386: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785386
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jessie-pu: package php-horde/5.2.1+debian0-2
From: Mathieu Parent <sathieu@debian.org>
Date: Fri, 15 May 2015 17:16:35 +0200
Message-id: <20150515151635.32598.84967.reportbug@ultrathieu.sathieu.net>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

php-horde in Jessie has an XSS security bug (#785364).

I plan to fix in thru -updates.

Debdiff attached.

Regards

Mathieu Parent


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

>From 4b855a205b0c33f91a908d070d7848100ef4697a Mon Sep 17 00:00:00 2001
From: Mathieu Parent <math.parent@gmail.com>
Date: Fri, 15 May 2015 11:38:49 +0200
Subject: [PATCH] Fix XSS in group administration (Closes: #785364)

---
 debian/changelog                                   |  6 ++++++
 .../0003-Fix-XSS-in-group-administration.patch     | 23 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 30 insertions(+)
 create mode 100644 debian/patches/0003-Fix-XSS-in-group-administration.patch

diff --git a/debian/changelog b/debian/changelog
index 2796877..b801a8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium
+
+  * Fix XSS in group administration (Closes: #785364)
+
+ -- Mathieu Parent <sathieu@debian.org>  Fri, 15 May 2015 17:14:33 +0200
+
 php-horde (5.2.1+debian0-2) unstable; urgency=medium
 
   * Update Standards-Version, no change
diff --git a/debian/patches/0003-Fix-XSS-in-group-administration.patch b/debian/patches/0003-Fix-XSS-in-group-administration.patch
new file mode 100644
index 0000000..f318a40
--- /dev/null
+++ b/debian/patches/0003-Fix-XSS-in-group-administration.patch
@@ -0,0 +1,23 @@
+From: Mathieu Parent <math.parent@gmail.com>
+Date: Tue, 5 May 2015 21:56:08 +0200
+Subject: Fix XSS in group administration
+
+Origin: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
+Author: Jan Schneider <jan@horde.org>
+---
+ horde-5.2.1/admin/groups.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/horde-5.2.1/admin/groups.php b/horde-5.2.1/admin/groups.php
+index 3a3fa48..0423531 100644
+--- a/horde-5.2.1/admin/groups.php
++++ b/horde-5.2.1/admin/groups.php
+@@ -211,7 +211,7 @@ foreach ($nodes as $id => $node) {
+     $tree->addNode(array(
+         'id' => $id,
+         'parent' => null,
+-        'label' => $node,
++        'label' => htmlspecialchars($node),
+         'expanded' => false,
+         'params' => $group_node + $node_params,
+         'right' => array($spacer, $delete_link)
diff --git a/debian/patches/series b/debian/patches/series
index 8e6d7d8..df54592 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0002-Fix-rewrite-base.patch
+0003-Fix-XSS-in-group-administration.patch
-- 
2.1.4

--- End Message ---

--- Begin Message ---

To: 781276-done@bugs.debian.org

Cc: 781284-done@bugs.debian.org, 782900-done@bugs.debian.org, 783256-done@bugs.debian.org, 783404-done@bugs.debian.org, 783488-done@bugs.debian.org, 783489-done@bugs.debian.org, 783526-done@bugs.debian.org, 783722-done@bugs.debian.org, 783750-done@bugs.debian.org, 783811-done@bugs.debian.org, 783884-done@bugs.debian.org, 783973-done@bugs.debian.org, 784101-done@bugs.debian.org, 784178-done@bugs.debian.org, 784342-done@bugs.debian.org, 784383-done@bugs.debian.org, 784644-done@bugs.debian.org, 784714-done@bugs.debian.org, 784800-done@bugs.debian.org, 784801-done@bugs.debian.org, 784815-done@bugs.debian.org, 784816-done@bugs.debian.org, 784905-done@bugs.debian.org, 784943-done@bugs.debian.org, 784946-done@bugs.debian.org, 784962-done@bugs.debian.org, 784963-done@bugs.debian.org, 784964-done@bugs.debian.org, 784998-done@bugs.debian.org, 785154-done@bugs.debian.org, 785184-done@bugs.debian.org, 785201-done@bugs.debian.org, 785240-done@bugs.debian.org, 785254-done@bugs.debian.org, 785298-done@bugs.debian.org, 785301-done@bugs.debian.org, 785386-done@bugs.debian.org, 785478-done@bugs.debian.org, 785510-done@bugs.debian.org, 785523-done@bugs.debian.org, 785713-done@bugs.debian.org, 785718-done@bugs.debian.org, 786388-done@bugs.debian.org, 786389-done@bugs.debian.org, 786431-done@bugs.debian.org, 786513-done@bugs.debian.org, 786647-done@bugs.debian.org, 786720-done@bugs.debian.org, 786744-done@bugs.debian.org, 786811-done@bugs.debian.org, 786812-done@bugs.debian.org, 786856-done@bugs.debian.org, 786860-done@bugs.debian.org, 786863-done@bugs.debian.org, 786870-done@bugs.debian.org, 786912-done@bugs.debian.org, 786918-done@bugs.debian.org, 786922-done@bugs.debian.org, 786924-done@bugs.debian.org, 786982-done@bugs.debian.org, 787008-done@bugs.debian.org, 787014-done@bugs.debian.org, 787255-done@bugs.debian.org, 787260-done@bugs.debian.org, 787626-done@bugs.debian.org, 787636-done@bugs.debian.org

Subject: Fix released with 8.1 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 06 Jun 2015 13:11:11 +0100

Message-id: <1433592671.2987.12.camel@adam-barratt.org.uk>
Version: 8.1

Hi,

The fix discussed in this bug was released to stable as part of the 8.1
point release earlier today.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#785298: marked as done (jessie-pu: package osmosis/0.43.1-3+deb8u1)
Next by Date: Bug#785301: marked as done (jessie-pu: package dbus/1.8.18-0+deb8u1)
Previous by thread: Bug#785298: marked as done (jessie-pu: package osmosis/0.43.1-3+deb8u1)
Next by thread: Bug#785301: marked as done (jessie-pu: package dbus/1.8.18-0+deb8u1)
Index(es):
- Date
- Thread