Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Hello, php-horde in Jessie has an XSS security bug (#785364). I plan to fix in thru -updates. Debdiff attached. Regards Mathieu Parent -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
>From 4b855a205b0c33f91a908d070d7848100ef4697a Mon Sep 17 00:00:00 2001 From: Mathieu Parent <[email protected]> Date: Fri, 15 May 2015 11:38:49 +0200 Subject: [PATCH] Fix XSS in group administration (Closes: #785364) --- debian/changelog | 6 ++++++ .../0003-Fix-XSS-in-group-administration.patch | 23 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 30 insertions(+) create mode 100644 debian/patches/0003-Fix-XSS-in-group-administration.patch diff --git a/debian/changelog b/debian/changelog index 2796877..b801a8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium + + * Fix XSS in group administration (Closes: #785364) + + -- Mathieu Parent <[email protected]> Fri, 15 May 2015 17:14:33 +0200 + php-horde (5.2.1+debian0-2) unstable; urgency=medium * Update Standards-Version, no change diff --git a/debian/patches/0003-Fix-XSS-in-group-administration.patch b/debian/patches/0003-Fix-XSS-in-group-administration.patch new file mode 100644 index 0000000..f318a40 --- /dev/null +++ b/debian/patches/0003-Fix-XSS-in-group-administration.patch @@ -0,0 +1,23 @@ +From: Mathieu Parent <[email protected]> +Date: Tue, 5 May 2015 21:56:08 +0200 +Subject: Fix XSS in group administration + +Origin: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 +Author: Jan Schneider <[email protected]> +--- + horde-5.2.1/admin/groups.php | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/horde-5.2.1/admin/groups.php b/horde-5.2.1/admin/groups.php +index 3a3fa48..0423531 100644 +--- a/horde-5.2.1/admin/groups.php ++++ b/horde-5.2.1/admin/groups.php +@@ -211,7 +211,7 @@ foreach ($nodes as $id => $node) { + $tree->addNode(array( + 'id' => $id, + 'parent' => null, +- 'label' => $node, ++ 'label' => htmlspecialchars($node), + 'expanded' => false, + 'params' => $group_node + $node_params, + 'right' => array($spacer, $delete_link) diff --git a/debian/patches/series b/debian/patches/series index 8e6d7d8..df54592 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0002-Fix-rewrite-base.patch +0003-Fix-XSS-in-group-administration.patch -- 2.1.4
