Hello community, here is the log from the commit of package git for openSUSE:11.3 checked in at Tue Jun 21 18:44:47 CEST 2011.
-------- --- old-versions/11.3/UPDATES/all/git/git.changes 2011-01-13 20:15:30.000000000 +0100 +++ 11.3/git/git.changes 2011-06-17 12:06:52.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Jun 17 12:05:49 CEST 2011 - [email protected] + +- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- git-prevent_xss-default.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.H063nO/_old 2011-06-21 18:43:44.000000000 +0200 +++ /var/tmp/diff_new_pack.H063nO/_new 2011-06-21 18:43:44.000000000 +0200 @@ -39,7 +39,7 @@ BuildRequires: python BuildRequires: perl-Error Version: 1.7.1 -Release: 2.<RELEASE2> +Release: 2.<RELEASE5> Summary: Fast, scalable, distributed revision control system License: GPLv2+ Group: Development/Tools/Version Control @@ -55,6 +55,8 @@ Patch3: completion-wordbreaks.diff Patch4: gitweb-escattr.diff Patch5: git-setup-overflow.diff +# CVE-2011-2186, bnc#698456 +Patch6: git-prevent_xss-default.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: git-core = %{version} Recommends: git-svn git-cvs git-email gitk git-gui git-web @@ -266,6 +268,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build cat > .make <<'EOF' ++++++ git-prevent_xss-default.diff ++++++ From: Jakub Narebski <[email protected]> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <[email protected]> Signed-off-by: Jakub Narebski <[email protected]> --- gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) --- a/gitweb/README +++ b/gitweb/README @@ -227,8 +227,9 @@ * $prevent_xss If true, some gitweb features are disabled to prevent content in repositories from launching cross-site scripting (XSS) attacks. Set this - to true if you don't trust the content of your repositories. The default - is false. + to false if you trust the content of your repositories, and want to use + per-repository README.html, or use gitweb as deployment platform + via 'blob_plain' view and path_info links. The default is true. * $maxload Used to set the maximum load that we will still respond to gitweb queries. If server load exceed this value then return "503 Service Unavaliable" error. --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -158,7 +158,7 @@ # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # information about snapshot formats that gitweb is capable of serving our %known_snapshot_formats = ( ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
