Hello community, here is the log from the commit of package git for openSUSE:Factory checked in at Tue Jun 21 09:27:56 CEST 2011.
-------- --- git/git.changes 2011-06-06 16:11:47.000000000 +0200 +++ /mounts/work_src_done/STABLE/git/git.changes 2011-06-17 11:54:35.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Jun 17 11:53:21 CEST 2011 - [email protected] + +- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- git-prevent_xss-default.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cgit.spec ++++++ --- /var/tmp/diff_new_pack.sSYK1l/_old 2011-06-21 09:24:17.000000000 +0200 +++ /var/tmp/diff_new_pack.sSYK1l/_new 2011-06-21 09:24:17.000000000 +0200 @@ -25,7 +25,7 @@ Group: Development/Libraries/C and C++ AutoReqProv: on Version: 0.9 -Release: 3 +Release: 4 Summary: A web frontend for git repositories Source0: %{name}-%{version}.tar.bz2 Source1: git-%{git_version}.tar.bz2 ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.sSYK1l/_old 2011-06-21 09:24:17.000000000 +0200 +++ /var/tmp/diff_new_pack.sSYK1l/_new 2011-06-21 09:24:17.000000000 +0200 @@ -39,7 +39,7 @@ BuildRequires: python BuildRequires: perl-Error Version: 1.7.5.4 -Release: 1 +Release: 3 Summary: Fast, scalable, distributed revision control system License: GPLv2+ Group: Development/Tools/Version Control @@ -53,6 +53,8 @@ Patch1: git-nohardlink.diff Patch2: git-python-install-fix.diff Patch3: completion-wordbreaks.diff +# CVE-2011-2186, bnc#698456 +Patch4: git-prevent_xss-default.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: git-core = %{version} Recommends: git-svn git-cvs git-email gitk git-gui git-web @@ -262,6 +264,7 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build cat > .make <<'EOF' ++++++ git-prevent_xss-default.diff ++++++ From: Jakub Narebski <[email protected]> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <[email protected]> Signed-off-by: Jakub Narebski <[email protected]> --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) --- a/git-instaweb.sh +++ b/git-instaweb.sh @@ -583,6 +583,10 @@ our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; + \$feature{'remote_heads'}{'default'} = [1]; EOF } --- a/gitweb/README +++ b/gitweb/README @@ -236,8 +236,9 @@ * $prevent_xss If true, some gitweb features are disabled to prevent content in repositories from launching cross-site scripting (XSS) attacks. Set this - to true if you don't trust the content of your repositories. The default - is false. + to false if you trust the content of your repositories, and want to use + per-repository README.html, or use gitweb as deployment platform + via 'blob_plain' view and path_info links. The default is true. * $maxload Used to set the maximum load that we will still respond to gitweb queries. If server load exceed this value then return "503 Service Unavailable" error. --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -162,7 +162,7 @@ # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # Path to the highlight executable to use (must be the one from # http://www.andre-simon.de due to assumptions about parameters and output). ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
