Your message dated Wed, 25 Feb 2015 19:20:19 +0000
with message-id <[email protected]>
and subject line Re: Bug#779229: unblock: redmine/3.0~20140825-5
has caused the Debian Bug report #779229,
regarding unblock: redmine/3.0~20140825-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
779229: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779229
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package redmine
This version includes a patch for a security issue which has no public
identifier yet.
the debdiff against the package in testing is attached
unblock redmine/3.0~20140825-5
-- System Information:
Debian Release: 8.0
APT prefers buildd-unstable
APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (500, 'testing'),
(1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--
Antonio Terceiro <[email protected]>
diff -Nru redmine-3.0~20140825/debian/changelog redmine-3.0~20140825/debian/changelog
--- redmine-3.0~20140825/debian/changelog 2015-01-30 14:04:43.000000000 -0200
+++ redmine-3.0~20140825/debian/changelog 2015-02-22 11:35:14.000000000 -0300
@@ -1,3 +1,11 @@
+redmine (3.0~20140825-5) unstable; urgency=high
+
+ * debian/patches/0001-Escape-flash-messages-19117.patch
+ - Fix potential XSS vulnerability with flash messages.
+ - No CVE id assigned yet
+
+ -- Antonio Terceiro <[email protected]> Sun, 22 Feb 2015 11:32:27 -0300
+
redmine (3.0~20140825-4) unstable; urgency=medium
* debian/doc/examples/apache2-passenger-alias.conf: updated example
diff -Nru redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch
--- redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch 1969-12-31 21:00:00.000000000 -0300
+++ redmine-3.0~20140825/debian/patches/0001-Escape-flash-messages-19117.patch 2015-02-22 11:35:14.000000000 -0300
@@ -0,0 +1,45 @@
+From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <[email protected]>
+Date: Tue, 17 Feb 2015 17:47:36 +0000
+Subject: [PATCH] Escape flash messages (#19117).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/account_controller.rb | 2 +-
+ app/controllers/admin_controller.rb | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/app/controllers/account_controller.rb
++++ b/app/controllers/account_controller.rb
+@@ -290,7 +290,7 @@ class AccountController < ApplicationCon
+ token = Token.new(:user => user, :action => "register")
+ if user.save and token.save
+ Mailer.register(token).deliver
+- flash[:notice] = l(:notice_account_register_done, :email => user.mail)
++ flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
+ redirect_to signin_path
+ else
+ yield if block_given?
+--- a/app/controllers/admin_controller.rb
++++ b/app/controllers/admin_controller.rb
+@@ -51,7 +51,7 @@ class AdminController < ApplicationContr
+ Redmine::DefaultData::Loader::load(params[:lang])
+ flash[:notice] = l(:notice_default_data_loaded)
+ rescue Exception => e
+- flash[:error] = l(:error_can_t_load_default_data, e.message)
++ flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
+ end
+ end
+ redirect_to admin_path
+@@ -63,9 +63,9 @@ class AdminController < ApplicationContr
+ ActionMailer::Base.raise_delivery_errors = true
+ begin
+ @test = Mailer.test_email(User.current).deliver
+- flash[:notice] = l(:notice_email_sent, User.current.mail)
++ flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
+ rescue Exception => e
+- flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
++ flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
+ end
+ ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
+ redirect_to settings_path(:tab => 'notifications')
diff -Nru redmine-3.0~20140825/debian/patches/series redmine-3.0~20140825/debian/patches/series
--- redmine-3.0~20140825/debian/patches/series 2015-01-30 14:04:43.000000000 -0200
+++ redmine-3.0~20140825/debian/patches/series 2015-02-22 11:35:14.000000000 -0300
@@ -10,3 +10,4 @@
drop-update_all.patch
invalidate-language-cache-from-older-versions.diff
avoid-crash-on-issues.diff
+0001-Escape-flash-messages-19117.patch
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
On Wed, 2015-02-25 at 15:28 -0300, Antonio Terceiro wrote:
> Please unblock package redmine
>
> This version includes a patch for a security issue which has no public
> identifier yet.
Unblocked.
Regards,
Adam
--- End Message ---
