Bug#858427: marked as done (unblock: pcs/0.9.155+dfsg-2)

To: Emilio Pozuelo Monfort <pochu@respighi.debian.org>
Subject: Bug#858427: marked as done (unblock: pcs/0.9.155+dfsg-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 22 Mar 2017 17:27:09 +0000
Message-id: <[🔎] handler.858427.D858427.149020356413712.ackdone@bugs.debian.org>
References: <E1cqk1K-0003UQ-Bm@respighi.debian.org> <[🔎] 149017626069.11775.10640431772358524981.reportbug@gavran.carpriv.carnet.hr>

Your message dated Wed, 22 Mar 2017 17:26:02 +0000
with message-id <E1cqk1K-0003UQ-Bm@respighi.debian.org>
and subject line unblock pcs
has caused the Debian Bug report #858427,
regarding unblock: pcs/0.9.155+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
858427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858427
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: pcs/0.9.155+dfsg-2
From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
Date: Wed, 22 Mar 2017 10:51:00 +0100
Message-id: <[🔎] 149017626069.11775.10640431772358524981.reportbug@gavran.carpriv.carnet.hr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package pcs

This upload fixes CVE-2017-2661 reported in #858379 by
applying an upstream patch.


diff -Nru pcs-0.9.155+dfsg/debian/changelog pcs-0.9.155+dfsg/debian/changelog
--- pcs-0.9.155+dfsg/debian/changelog	2017-01-13 13:50:46.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/changelog	2017-03-21 20:37:55.000000000 +0100
@@ -1,3 +1,9 @@
+pcs (0.9.155+dfsg-2) unstable; urgency=medium
+
+  * Add upstream fix for CVE-2017-2661 (Closes: #858379)
+
+ -- Valentin Vidic <Valentin.Vidic@CARNet.hr>  Tue, 21 Mar 2017 20:37:55 +0100
+
 pcs (0.9.155+dfsg-1) unstable; urgency=medium
 
   * Repack upstream source without Liberation fonts (Closes: #851115)
diff -Nru pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch
--- pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch	1970-01-01 01:00:00.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch	2017-03-21 20:37:55.000000000 +0100
@@ -0,0 +1,41 @@
+From: Ondrej Mular <omular@redhat.com>
+Date: Sat, 4 Mar 2017 14:01:43 +0100
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1428948
+Subject: [PATCH] web UI: fixed XSS vulnerability
+
+---
+ pcsd/public/js/nodes-ember.js | 4 ++--
+ pcsd/public/js/pcsd.js        | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/pcsd/public/js/nodes-ember.js
++++ b/pcsd/public/js/nodes-ember.js
+@@ -75,7 +75,7 @@
+     var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
+     $.each(this.get("sbd_config"), function(opt, val) {
+       if (banned_options.indexOf(opt) == -1) {
+-        out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
++        out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
+       }
+     });
+     return out + '</table>';
+@@ -879,7 +879,7 @@
+   }.property("status_val"),
+   show_status: function() {
+     return '<span style="' + this.get('status_style') + '">'
+-      + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
++      + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+       + '</span>';
+   }.property("status_style", "disabled"),
+   status_class: function() {
+--- a/pcsd/public/js/pcsd.js
++++ b/pcsd/public/js/pcsd.js
+@@ -822,7 +822,7 @@
+ 
+   dialog_obj.find('#auth_nodes_list').empty();
+   unauth_nodes.forEach(function(node) {
+-    dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
++    dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
+   });
+ 
+ }
diff -Nru pcs-0.9.155+dfsg/debian/patches/series pcs-0.9.155+dfsg/debian/patches/series
--- pcs-0.9.155+dfsg/debian/patches/series	2017-01-13 13:50:46.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/patches/series	2017-03-21 20:37:55.000000000 +0100
@@ -9,3 +9,4 @@
 0009-Fix-testsuite.patch
 0010-Replace-chkconfig.patch
 0011-Fix-python-lxml.patch
+0012-CVE-2017-2661.patch


unblock pcs/0.9.155+dfsg-2

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

To: 858427-done@bugs.debian.org

Subject: unblock pcs

From: Emilio Pozuelo Monfort <pochu@respighi.debian.org>

Date: Wed, 22 Mar 2017 17:26:02 +0000

Message-id: <E1cqk1K-0003UQ-Bm@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#858427: unblock: pcs/0.9.155+dfsg-2
  - From: Valentin Vidic <Valentin.Vidic@CARNet.hr>

Prev by Date: Bug#858426: unblock: tworld/1.3.2-3
Next by Date: Re: Merged /usr - supported in stretch?
Previous by thread: Bug#858427: unblock: pcs/0.9.155+dfsg-2
Next by thread: Bug#858433: unblock: seer/1.1.2-2
Index(es):
- Date
- Thread