Package: release.debian.org Followup-For: Bug #683441 Hey kibi,
I have prepared an new upload with urgency high, because now it also needs an security fix. I will wait on your approve before I upload it. diff: diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/changelog branches/wheezy/debian/changelog --- tags/3.1.7+dfsg1-3/debian/changelog 2012-07-30 10:01:45.000000000 +0200 +++ branches/wheezy/debian/changelog 2012-08-22 18:50:11.539325047 +0200 @@ -1,9 +1,20 @@ +otrs2 (3.1.7+dfsg1-4) UNRELEASED; urgency=high + + * Correct typo in changelog from my last upload. + * Add upstream patch 28-osa-2012-01-ie-xss from OSA-2012-01, which fixes a + XSS vulnerability when using the Internet Explorer. + * Move libmail-imapclient-perl from Suggests to Depends and also depend on + the version in Wheezy. This is an additional fix for the 3.1.7+dfsg1-3 + upload to ensure that the correct version is installed. + + -- Patrick Matthäi <pmatth...@debian.org> Sun, 19 Aug 2012 12:47:35 +0200 + otrs2 (3.1.7+dfsg1-3) unstable; urgency=low * Add backported upstream patch 27-imaptls-more-than-one-email. Using IMAPTLS will purge all e-mails, if more than one is located in the inbox. This is because of newer Mail::IMAPClient module versions return an array reference - insteaf of an array on the ->message action. + instead of an array on the ->message action. -- Patrick Matthäi <pmatth...@debian.org> Mon, 30 Jul 2012 09:53:24 +0200 diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/control branches/wheezy/debian/control --- tags/3.1.7+dfsg1-3/debian/control 2012-07-30 10:01:45.000000000 +0200 +++ branches/wheezy/debian/control 2012-08-22 18:48:03.458134088 +0200 @@ -47,6 +47,7 @@ ttf-dejavu-extra, ttf-dejavu-core, libyaml-perl, + libmail-imapclient-perl (>= 3.31), libjson-perl Recommends: postgresql | mysql-server, procmail | maildrop, @@ -55,7 +56,6 @@ Suggests: otrs2-doc-en | otrs2-doc-de, libnet-ldap-perl, libjson-xs-perl, - libmail-imapclient-perl, libnet-smtp-tls-butmaintained-perl, libtext-csv-xs-perl, libencode-hanextra-perl diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/patches/28-osa-2012-01-ie-xss.diff branches/wheezy/debian/patches/28-osa-2012-01-ie-xss.diff --- tags/3.1.7+dfsg1-3/debian/patches/28-osa-2012-01-ie-xss.diff 1970-01-01 01:00:00.000000000 +0100 +++ branches/wheezy/debian/patches/28-osa-2012-01-ie-xss.diff 2012-08-22 18:44:14.328005878 +0200 @@ -0,0 +1,70 @@ +# Upstream advisory 2012-01: +# This advisory covers vulnerabilities discovered in the OTRS core system. Due +# to the XSS vulnerability in Internet Explorer an attacker could send a +# specially prepared HTML email to OTRS which would cause JavaScript code to be +# executed in your Internet Explorer while displaying the email. + +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl +--- otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 2012-06-21 13:40:05.000000000 +0200 ++++ otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 2012-08-22 18:38:22.676743135 +0200 +@@ -2,7 +2,7 @@ + # AgentTicketZoom.dtl - provides HTML for AgentTicketZoom.pm + # Copyright (C) 2001-2012 OTRS AG, http://otrs.org/ + # -- +-# $Id: AgentTicketZoom.dtl,v 1.207.2.2 2012/06/11 08:20:01 mg Exp $ ++# $Id: AgentTicketZoom.dtl,v 1.207.2.4 2012/08/17 08:52:41 mg Exp $ + # -- + # This software comes with ABSOLUTELY NO WARRANTY. For details, see + # the enclosed file COPYING for license information (AGPL). If you +@@ -177,7 +177,11 @@ + <!-- dtl:block:TotalAccountedTime --> + <!-- dtl:block:PendingUntil --> + <label>$Text{"Pending till"}:</label> +- <p class="Value $QData{"PendingUntilClass"}">$Data{"PendingUntil"}</p> ++ <p class="Value $QData{"PendingUntilClass"}"> ++ $Data{"PendingUntil"} ++ <br/> ++ $TimeShort{"$QData{"UntilTimeHuman"}"} ++ </p> + <div class="Clear"></div> + <!-- dtl:block:PendingUntil --> + <!-- dtl:block:Owner --> +@@ -628,7 +632,9 @@ + <!-- dtl:block:BodyHTML --> + <div> + # execute IFrame JS asynchronously. Otherwise it could happen before our API was loaded +- <iframe width="100%" frameborder="0" id="Iframe$QData{"ArticleID"}" onload="window.setTimeout( function (){ if (typeof Core === 'object' && typeof Core.Agent === 'object' && typeof Core.Agent.TicketZoom === 'object') { Core.Agent.TicketZoom.IframeAutoHeight($('#Iframe$QData{"ArticleID"}')); } }, 500);" src="$Env{"Baselink"}Action=AgentTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"}"></iframe> ++# Use the HTML5 sandbox attribute to prevent plugins and scripts from being executed in the browser. ++# Use IE's (non-standard) security attribute to achieve something similar in older IE browsers. Append session info to URL because IE will not send cookies. ++ <iframe sandbox="allow-same-origin" security="restricted" width="100%" frameborder="0" id="Iframe$QData{"ArticleID"}" onload="window.setTimeout( function (){ if (typeof Core === 'object' && typeof Core.Agent === 'object' && typeof Core.Agent.TicketZoom === 'object') { Core.Agent.TicketZoom.IframeAutoHeight($('#Iframe$QData{"ArticleID"}')); } }, 500);" src="$Env{"Baselink"}Action=AgentTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe> + </div> + <!-- dtl:block:BodyHTML --> + </div> +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl +--- otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 2012-05-31 11:17:27.000000000 +0200 ++++ otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 2012-08-22 18:38:30.552816289 +0200 +@@ -2,7 +2,7 @@ + # CustomerTicketZoom.dtl - provides HTML TicketZoom for CustomerTicketZoom.pm + # Copyright (C) 2001-2012 OTRS AG, http://otrs.org/ + # -- +-# $Id: CustomerTicketZoom.dtl,v 1.116.2.1 2012/05/30 16:20:22 mg Exp $ ++# $Id: CustomerTicketZoom.dtl,v 1.116.2.2 2012/08/17 08:52:41 mg Exp $ + # -- + # This software comes with ABSOLUTELY NO WARRANTY. For details, see + # the enclosed file COPYING for license information (AGPL). If you +@@ -170,11 +170,13 @@ + </div> + <!-- dtl:block:BodyPlain --> + <!-- dtl:block:BodyHTMLLoad --> +- <iframe title="about:blank" frameborder="0" id="VisibleFrame" src="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"}"></iframe> ++# Use the HTML5 sandbox attribute to prevent plugins and scripts from being executed in the browser. ++# Use IE's (non-standard) security attribute to achieve something similar in older IE browsers. Append session info to URL because IE will not send cookies. ++ <iframe sandbox="allow-same-origin" security="restricted" title="about:blank" frameborder="0" id="VisibleFrame" src="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe> + <!-- dtl:block:BodyHTMLLoad --> + <!-- dtl:block:BodyHTMLPlaceholder --> + # <!-- Here we need to append the session info if cookies are disabled, because the layout object cannot automatically do that here, like in the other iframe (only for src attribute). --> +- <iframe src="about:blank" frameborder="0" title="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QData{"SessionInformation"}"></iframe> ++ <iframe sandbox="allow-same-origin" security="restricted" src="about:blank" frameborder="0" title="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QData{"SessionInformation"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe> + <!-- dtl:block:BodyHTMLPlaceholder --> + </div> + </div> diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/patches/series branches/wheezy/debian/patches/series --- tags/3.1.7+dfsg1-3/debian/patches/series 2012-07-30 10:01:45.000000000 +0200 +++ branches/wheezy/debian/patches/series 2012-08-22 18:44:25.108105907 +0200 @@ -15,3 +15,4 @@ 25-use-locale-country.diff 26-font-paths.diff 27-imaptls-more-than-one-email.diff +28-osa-2012-01-ie-xss.diff -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120822165905.29505.34868.report...@srv1.linux-dev.org