Package: php-horde Version: 5.2.1+debian0-2 Tags: security jessie X-Debbugs-CC: [email protected] Control: fixed -1 5.2.5+debian0-1
Hello, Fix is at: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 I plan to fix it in a stable update (see attached patch) NB: no CVE (see http://lists.horde.org/archives/dev/Week-of-Mon-20141201/028821.html for my revious request) Regards -- Mathieu
From 7d562b1d1e92dd77c2875f8db990821521097e9b Mon Sep 17 00:00:00 2001 From: Mathieu Parent <[email protected]> Date: Fri, 15 May 2015 11:38:49 +0200 Subject: [PATCH] Fix XSS in group administration (Closes: #nnnnnn) --- debian/changelog | 6 ++++++ .../0003-Fix-XSS-in-group-administration.patch | 23 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 30 insertions(+) create mode 100644 debian/patches/0003-Fix-XSS-in-group-administration.patch diff --git a/debian/changelog b/debian/changelog index 2796877..384e52b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium + + * Fix XSS in group administration (Closes: #nnnnnn) + + -- Mathieu Parent <[email protected]> Fri, 15 May 2015 11:37:29 +0200 + php-horde (5.2.1+debian0-2) unstable; urgency=medium * Update Standards-Version, no change diff --git a/debian/patches/0003-Fix-XSS-in-group-administration.patch b/debian/patches/0003-Fix-XSS-in-group-administration.patch new file mode 100644 index 0000000..f318a40 --- /dev/null +++ b/debian/patches/0003-Fix-XSS-in-group-administration.patch @@ -0,0 +1,23 @@ +From: Mathieu Parent <[email protected]> +Date: Tue, 5 May 2015 21:56:08 +0200 +Subject: Fix XSS in group administration + +Origin: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 +Author: Jan Schneider <[email protected]> +--- + horde-5.2.1/admin/groups.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/horde-5.2.1/admin/groups.php b/horde-5.2.1/admin/groups.php +index 3a3fa48..0423531 100644 +--- a/horde-5.2.1/admin/groups.php ++++ b/horde-5.2.1/admin/groups.php +@@ -211,7 +211,7 @@ foreach ($nodes as $id => $node) { + $tree->addNode(array( + 'id' => $id, + 'parent' => null, +- 'label' => $node, ++ 'label' => htmlspecialchars($node), + 'expanded' => false, + 'params' => $group_node + $node_params, + 'right' => array($spacer, $delete_link) diff --git a/debian/patches/series b/debian/patches/series index 8e6d7d8..df54592 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0002-Fix-rewrite-base.patch +0003-Fix-XSS-in-group-administration.patch -- 2.1.4
