[Debian-ha-commits] [pcs] 01/02: Add upstream fix for CVE-2017-2661 (Closes: #858379)
Valentin Vidic
vvidic-guest at moszumanska.debian.org
Tue Mar 21 20:02:05 UTC 2017
This is an automated email from the git hooks/post-receive script.
vvidic-guest pushed a commit to branch master
in repository pcs.
commit 588cae9cf682fac98871e57d48c382278b9c49f1
Author: Valentin Vidic <Valentin.Vidic at CARNet.hr>
Date: Tue Mar 21 20:34:46 2017 +0100
Add upstream fix for CVE-2017-2661 (Closes: #858379)
---
debian/patches/0012-CVE-2017-2661.patch | 41 +++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 42 insertions(+)
diff --git a/debian/patches/0012-CVE-2017-2661.patch b/debian/patches/0012-CVE-2017-2661.patch
new file mode 100644
index 0000000..1beaf95
--- /dev/null
+++ b/debian/patches/0012-CVE-2017-2661.patch
@@ -0,0 +1,41 @@
+From: Ondrej Mular <omular at redhat.com>
+Date: Sat, 4 Mar 2017 14:01:43 +0100
+Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1428948
+Subject: [PATCH] web UI: fixed XSS vulnerability
+
+---
+ pcsd/public/js/nodes-ember.js | 4 ++--
+ pcsd/public/js/pcsd.js | 2 +-
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/pcsd/public/js/nodes-ember.js
++++ b/pcsd/public/js/nodes-ember.js
+@@ -75,7 +75,7 @@
+ var banned_options = ["SBD_OPTS", "SBD_WATCHDOG_DEV", "SBD_PACEMAKER"];
+ $.each(this.get("sbd_config"), function(opt, val) {
+ if (banned_options.indexOf(opt) == -1) {
+- out += '<tr><td>' + opt + '</td><td>' + val + '</td></tr>\n';
++ out += '<tr><td>' + htmlEncode(opt) + '</td><td>' + htmlEncode(val) + '</td></tr>\n';
+ }
+ });
+ return out + '</table>';
+@@ -879,7 +879,7 @@
+ }.property("status_val"),
+ show_status: function() {
+ return '<span style="' + this.get('status_style') + '">'
+- + this.get('status') + (this.get("is_unmanaged") ? " (unmanaged)" : "")
++ + htmlEncode(this.get('status')) + (this.get("is_unmanaged") ? " (unmanaged)" : "")
+ + '</span>';
+ }.property("status_style", "disabled"),
+ status_class: function() {
+--- a/pcsd/public/js/pcsd.js
++++ b/pcsd/public/js/pcsd.js
+@@ -822,7 +822,7 @@
+
+ dialog_obj.find('#auth_nodes_list').empty();
+ unauth_nodes.forEach(function(node) {
+- dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + node + '</td><td><input type="password" name="' + node + '-pass"></td></tr>\n');
++ dialog_obj.find('#auth_nodes_list').append("\t\t\t<tr><td>" + htmlEncode(node) + '</td><td><input type="password" name="' + htmlEncode(node) + '-pass"></td></tr>\n');
+ });
+
+ }
diff --git a/debian/patches/series b/debian/patches/series
index c11d762..ed481e1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
0009-Fix-testsuite.patch
0010-Replace-chkconfig.patch
0011-Fix-python-lxml.patch
+0012-CVE-2017-2661.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-ha/pcs.git
More information about the Debian-HA-Commits
mailing list