Hello community, here is the log from the commit of package kdelibs4 for openSUSE:11.4 checked in at Mon Apr 18 18:29:37 CEST 2011.
-------- --- old-versions/11.4/UPDATES/all/kdelibs4/kdelibs4-apidocs.changes 2011-02-22 21:13:53.000000000 +0100 +++ 11.4/kdelibs4/kdelibs4-apidocs.changes 2011-04-11 17:52:46.000000000 +0200 @@ -1,0 +2,11 @@ +Mon Apr 11 15:51:52 UTC 2011 - [email protected] + +- Add patch vs XSS vulnerability in KHTML error handling + (CVE-2011-1168) + +------------------------------------------------------------------- +Tue Mar 22 20:05:02 UTC 2011 - [email protected] + +- Harden SSL verification against poisoned DNS attacks (bnc#669222) + +------------------------------------------------------------------- --- old-versions/11.4/UPDATES/all/kdelibs4/kdelibs4.changes 2011-03-22 21:06:36.000000000 +0100 +++ 11.4/kdelibs4/kdelibs4.changes 2011-04-11 17:52:46.000000000 +0200 @@ -1,0 +2,6 @@ +Mon Apr 11 15:51:52 UTC 2011 - [email protected] + +- Add patch vs XSS vulnerability in KHTML error handling + (CVE-2011-1168) + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- d4098c3e-khtml-xss.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4-apidocs.spec ++++++ --- /var/tmp/diff_new_pack.xtV3WS/_old 2011-04-18 18:28:47.000000000 +0200 +++ /var/tmp/diff_new_pack.xtV3WS/_new 2011-04-18 18:28:47.000000000 +0200 @@ -26,7 +26,7 @@ Summary: KDE 4 API documentation Url: http://www.kde.org Version: 4.6.0 -Release: 3.<RELEASE3> +Release: 3.<RELEASE4> Requires: kde4-filesystem Source0: kdelibs-%version.tar.bz2 Source1: baselibs.conf ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.xtV3WS/_old 2011-04-18 18:28:47.000000000 +0200 +++ /var/tmp/diff_new_pack.xtV3WS/_new 2011-04-18 18:28:47.000000000 +0200 @@ -44,7 +44,7 @@ Summary: KDE Base Libraries Url: http://www.kde.org Version: 4.6.0 -Release: 6.<RELEASE13> +Release: 6.<RELEASE15> Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`) Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`) Requires: kdelibs4-core = %version @@ -77,6 +77,7 @@ Patch27: udisks-no-volume-label.diff Patch28: no_kbookmark_write_error.diff Patch29: 23621737-ssl-wildcards.diff +Patch30: d4098c3e-khtml-xss.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %requires_ge libqt4-x11 %if 0%{?opensuse_bs} @@ -167,6 +168,7 @@ %patch27 -p1 %patch28 -p1 %patch29 -p1 +%patch30 -p1 # # define KDE version exactly # ++++++ d4098c3e-khtml-xss.diff ++++++ --- a/khtml/khtml_part.cpp +++ b/khtml/khtml_part.cpp @@ -1804,7 +1804,10 @@ void KHTMLPart::htmlError( int errorCode stream >> errorName >> techName >> description >> causes >> solutions; QString url, protocol, datetime; - url = Qt::escape( reqUrl.prettyUrl() ); + + // This is somewhat confusing, but we have to escape the externally- + // controlled URL twice: once for i18n, and once for HTML. + url = Qt::escape( Qt::escape( reqUrl.prettyUrl() ) ); protocol = reqUrl.protocol(); datetime = KGlobal::locale()->formatDateTime( QDateTime::currentDateTime(), KLocale::LongDate ); ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
