[DRE-commits] [gitlab] 01/01: Add CVE patch

[Balasankar C]

This is an automated email from the git hooks/post-receive script.

balasankarc-guest pushed a commit to branch master
in repository gitlab.

commit 4633e24a80e5e2854dbb4bac91daa11706d47a4e
Author: Balasankar C <balasankarc at autistici.org>
Date:   Tue Mar 21 14:56:56 2017 +0530

    Add CVE patch
---
 debian/patches/cve-2017-0882.patch | 28 ++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 29 insertions(+)

diff --git a/debian/patches/cve-2017-0882.patch b/debian/patches/cve-2017-0882.patch
new file mode 100644
index 0000000..8b9ed4f
--- /dev/null
+++ b/debian/patches/cve-2017-0882.patch
@@ -0,0 +1,28 @@
+Description: Security patch for CVE-2017-0882
+Author: Brian Neel
+Bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+Last-Update: 2017-03-21
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/app/controllers/projects/issues_controller.rb
++++ b/app/controllers/projects/issues_controller.rb
+@@ -112,7 +112,7 @@
+       end
+ 
+       format.json do
+-        render json: @issue.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } })
++        render json: @issue.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
+       end
+     end
+ 
+--- a/app/controllers/projects/merge_requests_controller.rb
++++ b/app/controllers/projects/merge_requests_controller.rb
+@@ -278,7 +278,7 @@
+                        @merge_request.target_project, @merge_request])
+         end
+         format.json do
+-          render json: @merge_request.to_json(include: { milestone: {}, assignee: { methods: :avatar_url }, labels: { methods: :text_color } })
++          render json: @merge_request.to_json(include: { milestone: {}, assignee: { only: [:name, :username], methods: [:avatar_url] }, labels: { methods: :text_color } }, methods: [:task_status, :task_status_short])
+         end
+       end
+     else
diff --git a/debian/patches/series b/debian/patches/series
index 070c46f..d846552 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ pid-log-paths.patch
 0200-remove-order-dependency-in-label-finder-spec.patch
 0210-use-jquery-ui-rails6.patch
 0300-git-2-11-support.patch
+cve-2017-0882.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/gitlab.git