Your message dated Sat, 06 Jun 2015 13:11:11 +0100
with message-id <[email protected]>
and subject line Fix released with 8.1 point release
has caused the Debian Bug report #785386,
regarding jessie-pu: package php-horde/5.2.1+debian0-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
785386: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785386
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: [email protected]
Usertags: pu
Hello,
php-horde in Jessie has an XSS security bug (#785364).
I plan to fix in thru -updates.
Debdiff attached.
Regards
Mathieu Parent
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From 4b855a205b0c33f91a908d070d7848100ef4697a Mon Sep 17 00:00:00 2001
From: Mathieu Parent <[email protected]>
Date: Fri, 15 May 2015 11:38:49 +0200
Subject: [PATCH] Fix XSS in group administration (Closes: #785364)
---
debian/changelog | 6 ++++++
.../0003-Fix-XSS-in-group-administration.patch | 23 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 30 insertions(+)
create mode 100644 debian/patches/0003-Fix-XSS-in-group-administration.patch
diff --git a/debian/changelog b/debian/changelog
index 2796877..b801a8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde (5.2.1+debian0-2+deb8u1) stable; urgency=medium
+
+ * Fix XSS in group administration (Closes: #785364)
+
+ -- Mathieu Parent <[email protected]> Fri, 15 May 2015 17:14:33 +0200
+
php-horde (5.2.1+debian0-2) unstable; urgency=medium
* Update Standards-Version, no change
diff --git a/debian/patches/0003-Fix-XSS-in-group-administration.patch b/debian/patches/0003-Fix-XSS-in-group-administration.patch
new file mode 100644
index 0000000..f318a40
--- /dev/null
+++ b/debian/patches/0003-Fix-XSS-in-group-administration.patch
@@ -0,0 +1,23 @@
+From: Mathieu Parent <[email protected]>
+Date: Tue, 5 May 2015 21:56:08 +0200
+Subject: Fix XSS in group administration
+
+Origin: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
+Author: Jan Schneider <[email protected]>
+---
+ horde-5.2.1/admin/groups.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/horde-5.2.1/admin/groups.php b/horde-5.2.1/admin/groups.php
+index 3a3fa48..0423531 100644
+--- a/horde-5.2.1/admin/groups.php
++++ b/horde-5.2.1/admin/groups.php
+@@ -211,7 +211,7 @@ foreach ($nodes as $id => $node) {
+ $tree->addNode(array(
+ 'id' => $id,
+ 'parent' => null,
+- 'label' => $node,
++ 'label' => htmlspecialchars($node),
+ 'expanded' => false,
+ 'params' => $group_node + $node_params,
+ 'right' => array($spacer, $delete_link)
diff --git a/debian/patches/series b/debian/patches/series
index 8e6d7d8..df54592 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0002-Fix-rewrite-base.patch
+0003-Fix-XSS-in-group-administration.patch
--
2.1.4
--- End Message ---
--- Begin Message ---
Version: 8.1
Hi,
The fix discussed in this bug was released to stable as part of the 8.1
point release earlier today.
Regards,
Adam
--- End Message ---
