Here is the jessie debdiff. -- Mathieu
From ce52fddc5bacf6a089ce777ccbde1b80b915d7e6 Mon Sep 17 00:00:00 2001 From: Mathieu Parent <math.par...@gmail.com> Date: Thu, 4 Feb 2016 13:47:41 +0100 Subject: [PATCH] Fix XSS vulnerability in menu bar (Closes: #813573)
and release --- debian/changelog | 6 ++++++ .../0005-Fix-XSS-vulnerability-in-menu-bar.patch | 21 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 28 insertions(+) create mode 100644 debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch diff --git a/debian/changelog b/debian/changelog index fdc10df..512c484 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +php-horde (5.2.1+debian0-2+deb8u3) jessie-security; urgency=high + + * Fix XSS vulnerability in menu bar (Closes: #813573) + + -- Mathieu Parent <sath...@debian.org> Thu, 04 Feb 2016 13:46:39 +0100 + php-horde (5.2.1+debian0-2+deb8u2) jessie-security; urgency=high * Add session token checking to various admin pages (Closes: #803641) diff --git a/debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch b/debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch new file mode 100644 index 0000000..8d35066 --- /dev/null +++ b/debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch @@ -0,0 +1,21 @@ +From: Jan Schneider <j...@horde.org> +Date: Wed, 6 Jan 2016 11:46:35 +0100 +Subject: [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by + only a few applications (Bug #14213). + + +(Adapted from upstream ab07a1b447de34e13983b4d7ceb18b58c3a358d8) + +diff --git a/horde-5.2.1/templates/topbar/_menubar.html.php b/horde-5.2.1/templates/topbar/_menubar.html.php +index acb416c..df75623 100644 +--- a/horde-5.2.1/templates/topbar/_menubar.html.php ++++ b/horde-5.2.1/templates/topbar/_menubar.html.php +@@ -23,7 +23,7 @@ + <input autocomplete="off" id="horde-search-input" type="text" /> + </div> + <?php else: ?> +- <input type="text" id="horde-search-input" name="searchfield" class="formGhost" title="<?php echo $this->searchLabel ?>" /> ++ <input type="text" id="horde-search-input" name="searchfield" class="formGhost" title="<?php echo $this->h($this->searchLabel) ?>" /> + <?php endif ?> + <input type="image" id="horde-search-icon" src="<?php echo $this->searchIcon ?>" /> + </form> diff --git a/debian/patches/series b/debian/patches/series index 79d01fd..ac555f4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0002-Fix-rewrite-base.patch 0003-Fix-XSS-in-group-administration.patch 0004-Add-session-token-checking-to-various-admin-pages.patch +0005-Fix-XSS-vulnerability-in-menu-bar.patch -- 2.7.0