Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page

To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 959231@bugs.debian.org
Subject: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 01 May 2020 16:01:39 +0200
Message-id: <[🔎] 874kszpxdo.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 959231@bugs.debian.org
In-reply-to: <[🔎] 20200501133149.GA8088@eldamar.local> (Salvatore Bonaccorso's message of "Fri, 1 May 2020 15:31:49 +0200")
References: <[🔎] 158832571691.11381.3272769430815254078.reportbug@crunch> <[🔎] 158832571691.11381.3272769430815254078.reportbug@crunch> <[🔎] 87r1w3q43b.fsf@mid.deneb.enyo.de> <[🔎] 158832571691.11381.3272769430815254078.reportbug@crunch> <[🔎] 87h7wzq2gp.fsf@mid.deneb.enyo.de> <[🔎] 20200501122503.GA556012@eldamar.local> <[🔎] 87a72rq1gu.fsf@mid.deneb.enyo.de> <[🔎] 20200501133149.GA8088@eldamar.local> <[🔎] 158832571691.11381.3272769430815254078.reportbug@crunch>

* Salvatore Bonaccorso:

> Hi Florian,
>
> On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote:
>> * Salvatore Bonaccorso:
>> 
>> > Hi Florian,
>> >
>> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote:
>> >> * Florian Weimer:
>> >> 
>> >> > * Francesco Poli:
>> >> >
>> >> >> Please note that the CVE is mentioned in [DSA-4667-1].
>> >> >>
>> >> >> [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html>
>> >> >>
>> >> >> What's wrong with that tracker page?
>> >> >
>> >> > It's something in the NVD data that breaks the HTML escaping.
>> >> 
>> >> This patch adds basic Unicode support to the web framework.  I'm not
>> >> sure if it is the right direction to move in, but it fixes the issue.
>> >> 
>> >> An alternative fix would be to change the NVD importer not to put
>> >> Unicode strings into the database, by encoding them as byte strings
>> >> first.
>> >
>> > Do you want to deploy that or rather investigate an alternative?
>> 
>> I'd appreciate if you could spot-check the changes (e.g., do we still
>> do HTML escaping properly?) and deploy it.  It looks like I have
>> forgotten how to do it.
>
> Looks good to me, and yes can deploy it if you want me to. Please have
> a look at at attache git format-patch'ed version if you agree with the
> slight rewrite, since I do not want to commit something in your name
> you would not agree with).

Still looks fine.

Signed-off-by: Florian Weimer <fw@deneb.enyo.de>

Reply to:

References:
- Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
  - From: "Francesco Poli (wintermute)" <invernomuto@paranoici.org>
- Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
  - From: Florian Weimer <fw@deneb.enyo.de>
- Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
Next by Date: Bug#929228: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
Previous by thread: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
Next by thread: Bug#929228: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
Index(es):
- Date
- Thread