[SCM] KDE Development Platform Libraries module packaging branch, squeeze, updated. debian/4.4.5-2+squeeze3-1-gb93be98
Maximiliano Curia
maxy at alioth.debian.org
Mon May 13 18:55:29 UTC 2013
Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-sc/kde4libs.git;a=commitdiff;h=b93be98
The following commit has been merged in the squeeze branch:
commit b93be98b355e4bbfdc0a6da8df2ecee53e9fa90f
Author: Maximiliano Curia <maxy at debian.org>
Date: Mon May 13 17:13:12 2013 +0200
Fix for CVE-2013-2074, do not print passwords. (#707776)
---
debian/changelog | 10 +++++
debian/patches/series | 1 +
...ream_cve-2013-2074-do-not-print-passwords.patch | 41 ++++++++++++++++++++
3 files changed, 52 insertions(+), 0 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 4d29814..b59cac5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+kde4libs (4:4.4.5-2+squeeze4) stable; urgency=medium
+
+ [ Maximiliano Curia ]
+ * Backport upstream commit 65d736dab592bced4410ccfa4699de89f78c96ca to fix
+ CVE-2013-2074: prints passwords contained in HTTP URLs in error messages;
+ patch upstream_cve-2013-2074-do-not-print-passwords.patch,
+ thanks to Salvatore Bonaccorso <carnil at debian.org> (Closes: #707776)
+
+ -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Mon, 13 May 2013 19:16:22 +0200
+
kde4libs (4:4.4.5-2+squeeze3) stable; urgency=low
[ Ansgar Burchardt ]
diff --git a/debian/patches/series b/debian/patches/series
index 4aafd60..d3c9024 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -24,3 +24,4 @@ cve_2011_1094_ssl_verify_hostname.diff
ktar_header_checksum_fix.diff
ktar_longlink_length_in_bytes.diff
636615-ibus.diff
+upstream_cve-2013-2074-do-not-print-passwords.patch
diff --git a/debian/patches/upstream_cve-2013-2074-do-not-print-passwords.patch b/debian/patches/upstream_cve-2013-2074-do-not-print-passwords.patch
new file mode 100644
index 0000000..0dc7674
--- /dev/null
+++ b/debian/patches/upstream_cve-2013-2074-do-not-print-passwords.patch
@@ -0,0 +1,41 @@
+commit 65d736dab592bced4410ccfa4699de89f78c96ca
+Author: Grégory Oestreicher <greg at kamago.net>
+Date: Wed May 8 23:16:00 2013 +0200
+
+ Don't show passwords contained in HTTP URLs in error messages
+ BUG: 319428
+
+Index: kde4libs/kioslave/http/http.cpp
+===================================================================
+--- kde4libs.orig/kioslave/http/http.cpp 2013-05-13 19:46:49.255460450 +0200
++++ kde4libs/kioslave/http/http.cpp 2013-05-13 19:47:14.616414462 +0200
+@@ -2087,9 +2087,9 @@
+ // cache-only or offline -> we give a definite answer and it is "no"
+ *cacheHasPage = false;
+ if (isCacheOnly) {
+- error(ERR_DOES_NOT_EXIST, m_request.url.url());
++ error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl());
+ } else if (offline) {
+- error(ERR_COULD_NOT_CONNECT, m_request.url.url());
++ error(ERR_COULD_NOT_CONNECT, m_request.url.prettyUrl());
+ }
+ return true;
+ }
+@@ -2758,7 +2758,7 @@
+ if (m_request.preferErrorPage) {
+ setLoadingErrorPage();
+ } else {
+- error(ERR_INTERNAL_SERVER, m_request.url.url());
++ error(ERR_INTERNAL_SERVER, m_request.url.prettyUrl());
+ return false;
+ }
+ }
+@@ -2777,7 +2777,7 @@
+ if (m_request.preferErrorPage) {
+ setLoadingErrorPage();
+ } else {
+- error(ERR_DOES_NOT_EXIST, m_request.url.url());
++ error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl());
+ return false;
+ }
+ } else if (m_request.responseCode == 307) {
--
KDE Development Platform Libraries module packaging
More information about the pkg-kde-commits
mailing list