On Wed, Dec 08, 2010 at 11:15:24PM +0000, Dominic Hargreaves wrote: > On Wed, Dec 08, 2010 at 07:51:50PM +0000, Dominic Hargreaves wrote: > > > The changes can be summarised roughly as follows: > > > > lib/MT/App/Search.pm | 22 +++++++++++++++++----- > > > > Input checking > > Patch does not apply to 4.2.3-1+lenny1 > > > lib/MT/CMS/Tools.pm | 5 ++++- > > > > HTML/JS escaping > > Patch does not apply to 4.2.3-1+lenny1 > > > lib/MT/Template/Context/Search.pm | 4 ++-- > > > > URI encoding > > Applies to 4.2.3-1+lenny1 > > > lib/MT/Template/ContextHandlers.pm | 26 ++++++++++++++++---------- > > > > Input checking, HTML escaping > > Applied with small adaptation. > > > php/extlib/ezsql/ezsql_postgres.php | 2 +- > > > > Modifying input checking > > Applies to 4.2.3-1+lenny1 > > > php/lib/mtdb_base.php | 23 +++++++++++++++++++---- > > > > Modifying logic to accommodate escaping > > Applies to 4.2.3-1+lenny1 > > > php/mt.php | 5 +++-- > > > > Modifying input checking > > Applies to 4.2.3-1+lenny1 > > > Although not well documented it's clear that these changes are all > > security-relevant, so I propose to upload 4.3.5 to unstable and have it > > migrate to testing. I will go ahead with an upload to unstable this > > evening unless someone shouts. > > > Still TODO: assess stable. > > So, at least some of these issues probably apply to stable. I'd > appreciate any help validating these changes (I haven't had a chance > to build or test yet) and helping determine whether the two fixes which > didn't apply at all need adjusting (ie whether the issues exist in 4.23 > in a different form). > > I've attached the results of the above patching.
I've pushed the diff to git now: <http://git.debian.org/?p=pkg-mt-om/movabletype-opensource.git;a=commit;h=66daeefb9288a35e45a0634d5419fb0cf28c8d5f> and built/basic sanity checked the resulting packages. It's quite possibly not complete but in the absence of upstream support for older versions is at least a decent attempt. DSA and/or SRM, would this be okay to release as either a DSA or update to stable? Thanks, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
