Your message dated Sun, 4 Jun 2023 21:46:56 +0200 with message-id <3333b6db-1b2b-305c-dd63-9664f0fa7e60@debian.org> and subject line closing still open unblock requests has caused the Debian Bug report #1037082, regarding unblock: kanboard/1.2.26+ds-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1037082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037082 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: kanboard/1.2.26+ds-3
- From: Joseph Nahmias <joe@nahmias.net>
- Date: Sat, 03 Jun 2023 22:03:17 -0400
- Message-id: <[🔎] 168584419772.1762622.15784373085284885365.reportbug@pinky.nahmias.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: kanboard@packages.debian.org, joe@nahmias.net Control: affects -1 + src:kanboard Please unblock package kanboard [ Reason ] Security fix only for CVE-2023-32685 from kanboard v1.2.29 https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock kanboard/1.2.26+ds-3diff -Nru kanboard-1.2.26+ds/debian/changelog kanboard-1.2.26+ds/debian/changelog --- kanboard-1.2.26+ds/debian/changelog 2023-05-16 22:49:38.000000000 -0400 +++ kanboard-1.2.26+ds/debian/changelog 2023-05-28 21:42:46.000000000 -0400 @@ -1,3 +1,11 @@ +kanboard (1.2.26+ds-3) unstable; urgency=medium + + * backport fix for CVE-2023-32685 from kanboard v1.2.29 + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv + Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874) + + -- Joseph Nahmias <jello@debian.org> Sun, 28 May 2023 21:42:46 -0400 + kanboard (1.2.26+ds-2) unstable; urgency=medium * properly test for lighty-enable-mod. diff -Nru kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch --- kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 1969-12-31 19:00:00.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/CVE-2023-32685.patch 2023-05-28 21:41:20.000000000 -0400 @@ -0,0 +1,111 @@ +Description: fix for CVE-2023-32685 + Clipboard based cross-site scripting (blocked with default CSP) + https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv +Author: Frédéric Guillot <fred@kanboard.net> +Origin: upstream +Last-Update: 2023-05-24 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +diff --git a/assets/js/components/screenshot.js b/assets/js/components/screenshot.js +index a8acd64..1130bd2 100644 +--- a/assets/js/components/screenshot.js ++++ b/assets/js/components/screenshot.js +@@ -1,5 +1,4 @@ + KB.component('screenshot', function (containerElement) { +- var pasteCatcher = null; + var inputElement = null; + + function onFileLoaded(e) { +@@ -7,7 +6,6 @@ KB.component('screenshot', function (containerElement) { + } + + function onPaste(e) { +- // Firefox doesn't have the property e.clipboardData.items (only Chrome) + if (e.clipboardData && e.clipboardData.items) { + var items = e.clipboardData.items; + +@@ -24,69 +22,13 @@ KB.component('screenshot', function (containerElement) { + } + } + } +- } else { +- +- // Handle Firefox +- setTimeout(checkInput, 100); + } + } + + function initialize() { +- destroy(); +- +- if (! window.Clipboard) { +- // Insert the content editable at the top to avoid scrolling down in the board view +- pasteCatcher = document.createElement('div'); +- pasteCatcher.id = 'screenshot-pastezone'; +- pasteCatcher.contentEditable = true; +- pasteCatcher.style.opacity = 0; +- pasteCatcher.style.position = 'fixed'; +- pasteCatcher.style.top = 0; +- pasteCatcher.style.right = 0; +- pasteCatcher.style.width = 0; +- document.body.insertBefore(pasteCatcher, document.body.firstChild); +- +- pasteCatcher.focus(); +- +- // Set the focus when clicked anywhere in the document +- document.addEventListener('click', setFocus); +- +- // Set the focus when clicked in screenshot dropzone +- document.getElementById('screenshot-zone').addEventListener('click', setFocus); +- } +- + window.addEventListener('paste', onPaste, false); + } + +- function destroy() { +- if (KB.exists('#screenshot-pastezone')) { +- KB.find('#screenshot-pastezone').remove(); +- } +- +- document.removeEventListener('click', setFocus); +- pasteCatcher = null; +- } +- +- function setFocus() { +- if (pasteCatcher !== null) { +- pasteCatcher.focus(); +- } +- } +- +- function checkInput() { +- var child = pasteCatcher.childNodes[0]; +- +- if (child) { +- // If the user pastes an image, the src attribute +- // will represent the image as a base64 encoded string. +- if (child.tagName === 'IMG') { +- createImage(child.src); +- } +- } +- +- pasteCatcher.innerHTML = ''; +- } +- + function createImage(blob) { + var pastedImage = new Image(); + pastedImage.src = blob; +@@ -102,14 +44,9 @@ KB.component('screenshot', function (containerElement) { + zone.className = 'screenshot-pasted'; + zone.appendChild(pastedImage); + +- destroy(); + initialize(); + } + +- KB.on('modal.close', function () { +- destroy(); +- }); +- + this.render = function () { + inputElement = KB.dom('input') + .attr('type', 'hidden') diff -Nru kanboard-1.2.26+ds/debian/patches/series kanboard-1.2.26+ds/debian/patches/series --- kanboard-1.2.26+ds/debian/patches/series 2023-01-14 19:48:28.000000000 -0500 +++ kanboard-1.2.26+ds/debian/patches/series 2023-05-28 21:41:20.000000000 -0400 @@ -5,3 +5,4 @@ loosen_php_module_version_requirements.patch fix_version_testing.patch fix_plugin_dir_test.patch +CVE-2023-32685.patch
--- End Message ---
--- Begin Message ---
- To: 1037072-done@bugs.debian.org, 1037076-done@bugs.debian.org, 1037078-done@bugs.debian.org, 1037079-done@bugs.debian.org, 1037082-done@bugs.debian.org
- Subject: closing still open unblock requests
- From: Paul Gevers <elbrus@debian.org>
- Date: Sun, 4 Jun 2023 21:46:56 +0200
- Message-id: <3333b6db-1b2b-305c-dd63-9664f0fa7e60@debian.org>
Hi,The unblock requests that I'm closing in this message all came in after the deadline of 2023-05-28 12:00 UTC. We didn't have time to process them before the quiet period that started today.PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---