On 2012-07-23 10:56, Pierre Chifflier wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Hi, > > GLPI 0.83.31 (micro-fix based on 0.83.3) is an important security > release, fixing two CVEs: > > CVE-2012-4002: > Bug #3704: CSRF prevention step 1 > Bug #3707: CSRF prevention step 2 > > CVE-2012-4003: > Bug #3705: Security XSS for few items > > https://forge.indepnet.net/projects/glpi/versions/771 > > Note: the diff from 0.83.2-1 (current testing) is pretty big, but almost > all the patch is made of fixes in many files. Trying to backport would > make no sense imho since it would bring almost everything, and make future > maintenance even harder. > > Please allow GLPI 0.83.31 in testing. > > Regards, > Pierre > > unblock glpi/0.83.31-1 > >
Hi, I am afraid that diff is too much for me to review. I have tried a couple of times now and there is lot in there I expect is "unrelated changes". I understand that due to #3707, the security fix only will still be a huge diff. That said, it is not the Html::closeForm() (i.e. CSRF step 2) that I choke on. So I would be would be interested in seening the diff with only the security fixes. ~Niels -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
