This is an automated email from the git hooks/post-receive script. sebastic pushed a commit to branch master in repository pycsw.
commit 6fdc600ac9ecf904e2ef44e8fa20fc5114c74a51 Author: Bas Couwenberg <sebas...@xs4all.nl> Date: Sat Jun 27 15:35:01 2015 +0200 Include changes by Angelos from OSGeo-Live package. Fixed libxml < 2.9 XEE vulnerability. --- debian/changelog | 12 ++++++++++ debian/patches/libxml2-xee.patch | 51 ++++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 64 insertions(+) diff --git a/debian/changelog b/debian/changelog index 482fd2c..1d831bc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +pycsw (1.10.1+dfsg-2) UNRELEASED; urgency=medium + + * Team upload. + + [ Angelos Tzotsos ] + * Fixed libxml < 2.9 XEE vulnerability. + + [ Bas Couwenberg ] + * Include changes by Angelos from OSGeo-Live package. + + -- Bas Couwenberg <sebas...@debian.org> Sat, 27 Jun 2015 15:31:52 +0200 + pycsw (1.10.1+dfsg-1) unstable; urgency=medium * Imported Upstream version 1.10.1+dfsg diff --git a/debian/patches/libxml2-xee.patch b/debian/patches/libxml2-xee.patch new file mode 100644 index 0000000..ccb7b0e --- /dev/null +++ b/debian/patches/libxml2-xee.patch @@ -0,0 +1,51 @@ +Description: Fixing libxml < 2.9 xee vulnerability + . + pycsw (1.10.1+dfsg-2~trusty1) trusty; urgency=medium + . + * Fixed libxml < 2.9 XEE vulnerability +Author: Angelos Tzotsos <gcpp.kal...@gmail.com> + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: http://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: <YYYY-MM-DD> + +--- a/pycsw/admin.py ++++ b/pycsw/admin.py +@@ -556,7 +556,7 @@ def validate_xml(xml, xsd): + LOGGER.info('Validating %s against schema %s', xml, xsd) + + schema = etree.XMLSchema(file=xsd) +- parser = etree.XMLParser(schema=schema) ++ parser = etree.XMLParser(schema=schema, resolve_entities=False) + + try: + valid = etree.parse(xml, parser) +--- a/pycsw/server.py ++++ b/pycsw/server.py +@@ -1285,7 +1285,7 @@ class Csw(object): + LOGGER.debug('Validating Filter %s.' % + self.kvp['constraint']) + schema = etree.XMLSchema(file=schema) +- parser = etree.XMLParser(schema=schema) ++ parser = etree.XMLParser(schema=schema, resolve_entities=False) + doc = etree.fromstring(self.kvp['constraint'], parser) + LOGGER.debug('Filter is valid XML.') + self.kvp['constraint'] = {} +@@ -1976,7 +1976,7 @@ class Csw(object): + + LOGGER.debug('Validating %s.' % postdata) + schema = etree.XMLSchema(file=schema) +- parser = etree.XMLParser(schema=schema) ++ parser = etree.XMLParser(schema=schema, resolve_entities=False) + if hasattr(self, 'soap') and self.soap: + # validate the body of the SOAP request + doc = etree.fromstring(etree.tostring(doc), parser) diff --git a/debian/patches/series b/debian/patches/series index a92dfd2..5baf84c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ 0004-Use-xdg-open-instead-of-firefox-in-desktop-file.patch 0005-Set-default-configuration-path-for-wsgi.patch 0006-Don-t-include-external-references-to-images.patch +libxml2-xee.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/pycsw.git _______________________________________________ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel