Your message dated Wed, 22 Mar 2017 17:26:02 +0000
with message-id <[email protected]>
and subject line unblock pcs
has caused the Debian Bug report #858427,
regarding unblock: pcs/0.9.155+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
858427: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858427
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package pcs
This upload fixes CVE-2017-2661 reported in #858379 by
applying an upstream patch.
diff -Nru pcs-0.9.155+dfsg/debian/changelog pcs-0.9.155+dfsg/debian/changelog
--- pcs-0.9.155+dfsg/debian/changelog 2017-01-13 13:50:46.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/changelog 2017-03-21 20:37:55.000000000 +0100
@@ -1,3 +1,9 @@
+pcs (0.9.155+dfsg-2) unstable; urgency=medium
+
+ * Add upstream fix for CVE-2017-2661 (Closes: #858379)
+
+ -- Valentin Vidic <[email protected]> Tue, 21 Mar 2017 20:37:55 +0100
+
pcs (0.9.155+dfsg-1) unstable; urgency=medium
* Repack upstream source without Liberation fonts (Closes: #851115)
diff -Nru pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch
pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch
--- pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch 1970-01-01
01:00:00.000000000 +0100
+++ pcs-0.9.155+dfsg/debian/patches/0012-CVE-2017-2661.patch 2017-03-21
20:37:55.000000000 +0100
@@ -0,0 +1,41 @@
+From: Ondrej Mular <[email protected]>
+Date: Sat, 4 Mar 2017 14:01:43 +0100
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1428948
+Subject: [PATCH] web UI: fixed XSS vulnerability
+
+---
+ pcsd/public/js/nodes-ember.js | 4 ++--
+ pcsd/public/js/pcsd.js | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/pcsd/public/js/nodes-ember.js
++++ b/pcsd/public/js/nodes-ember.js
+@@ -75,7 +75,7 @@
+ var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
+ $.each(this.get("sbd_config"), function(opt, val) {
+ if (banned_options.indexOf(opt) == -1) {
+- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
++ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) +
'</td></tr>\n';
+ }
+ });
+ return out + '</table>';
+@@ -879,7 +879,7 @@
+ }.property("status_val"),
+ show_status: function() {
+ return '<span style="' + this.get('status_style') + '">'
+- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
++ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? "
(unmanaged)" : "")
+ + '</span>';
+ }.property("status_style", "disabled"),
+ status_class: function() {
+--- a/pcsd/public/js/pcsd.js
++++ b/pcsd/public/js/pcsd.js
+@@ -822,7 +822,7 @@
+
+ dialog_obj.find('#auth_nodes_list').empty();
+ unauth_nodes.forEach(function(node) {
+- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node +
'</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
++ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" +
htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node)
+ '-pass"></td></tr>\n');
+ });
+
+ }
diff -Nru pcs-0.9.155+dfsg/debian/patches/series
pcs-0.9.155+dfsg/debian/patches/series
--- pcs-0.9.155+dfsg/debian/patches/series 2017-01-13 13:50:46.000000000
+0100
+++ pcs-0.9.155+dfsg/debian/patches/series 2017-03-21 20:37:55.000000000
+0100
@@ -9,3 +9,4 @@
0009-Fix-testsuite.patch
0010-Replace-chkconfig.patch
0011-Fix-python-lxml.patch
+0012-CVE-2017-2661.patch
unblock pcs/0.9.155+dfsg-2
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
