Hello community, here is the log from the commit of package git for openSUSE:11.4 checked in at Tue Jun 21 18:45:48 CEST 2011.
-------- --- old-versions/11.4/all/git/git.changes 2010-12-17 17:53:01.000000000 +0100 +++ 11.4/git/git.changes 2011-06-17 12:09:30.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Jun 17 12:07:08 CEST 2011 - [email protected] + +- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) + +------------------------------------------------------------------- Package does not exist at destination yet. Using Fallback old-versions/11.4/all/git Destination is old-versions/11.4/UPDATES/all/git calling whatdependson for 11.4-i586 New: ---- git-prevent_xss-default.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cgit.spec ++++++ --- /var/tmp/diff_new_pack.xa1bRV/_old 2011-06-21 18:45:15.000000000 +0200 +++ /var/tmp/diff_new_pack.xa1bRV/_new 2011-06-21 18:45:15.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package cgit (Version 0.8.3.3) +# spec file for package cgit # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ Group: Development/Libraries/C and C++ AutoReqProv: on Version: 0.8.3.3 -Release: 4 +Release: 5.<RELEASE2> Summary: A web frontend for git repositories Source0: %{name}-%{version}.tar.bz2 Source1: git-%{git_version}.tar.bz2 ++++++ git.spec ++++++ --- /var/tmp/diff_new_pack.xa1bRV/_old 2011-06-21 18:45:15.000000000 +0200 +++ /var/tmp/diff_new_pack.xa1bRV/_new 2011-06-21 18:45:15.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package git (Version 1.7.3.4) +# spec file for package git # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -39,7 +39,7 @@ BuildRequires: python BuildRequires: perl-Error Version: 1.7.3.4 -Release: 1 +Release: 4.<RELEASE5> Summary: Fast, scalable, distributed revision control system License: GPLv2+ Group: Development/Tools/Version Control @@ -53,6 +53,8 @@ Patch1: git-nohardlink.diff Patch2: git-python-install-fix.diff Patch3: completion-wordbreaks.diff +# CVE-2011-2186, bnc#698456 +Patch4: git-prevent_xss-default.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: git-core = %{version} Recommends: git-svn git-cvs git-email gitk git-gui git-web @@ -262,6 +264,7 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build cat > .make <<'EOF' ++++++ git-prevent_xss-default.diff ++++++ From: Jakub Narebski <[email protected]> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <[email protected]> Signed-off-by: Jakub Narebski <[email protected]> --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) --- a/git-instaweb.sh +++ b/git-instaweb.sh @@ -580,6 +580,10 @@ our \$projectroot = "$(dirname "$fqgitdir")"; our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; + +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; EOF } --- a/gitweb/README +++ b/gitweb/README @@ -229,8 +229,9 @@ * $prevent_xss If true, some gitweb features are disabled to prevent content in repositories from launching cross-site scripting (XSS) attacks. Set this - to true if you don't trust the content of your repositories. The default - is false. + to false if you trust the content of your repositories, and want to use + per-repository README.html, or use gitweb as deployment platform + via 'blob_plain' view and path_info links. The default is true. * $maxload Used to set the maximum load that we will still respond to gitweb queries. If server load exceed this value then return "503 Service Unavailable" error. --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -164,7 +164,7 @@ # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # information about snapshot formats that gitweb is capable of serving our %known_snapshot_formats = ( ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
