Bug#683441: unblock: otrs2/3.1.7+dfsg1-3

Wed, 22 Aug 2012 10:03:27 -0700 

Package: release.debian.org
Followup-For: Bug #683441

Hey kibi,

I have prepared an new upload with urgency high, because now it also needs an
security fix. I will wait on your approve before I upload it.
diff:

diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/changelog 
branches/wheezy/debian/changelog
--- tags/3.1.7+dfsg1-3/debian/changelog 2012-07-30 10:01:45.000000000 +0200
+++ branches/wheezy/debian/changelog    2012-08-22 18:50:11.539325047 +0200
@@ -1,9 +1,20 @@
+otrs2 (3.1.7+dfsg1-4) UNRELEASED; urgency=high
+
+  * Correct typo in changelog from my last upload.
+  * Add upstream patch 28-osa-2012-01-ie-xss from OSA-2012-01, which fixes a
+    XSS vulnerability when using the Internet Explorer.
+  * Move libmail-imapclient-perl from Suggests to Depends and also depend on
+    the version in Wheezy. This is an additional fix for the 3.1.7+dfsg1-3
+    upload to ensure that the correct version is installed.
+
+ -- Patrick Matthäi <pmatth...@debian.org>  Sun, 19 Aug 2012 12:47:35 +0200
+
 otrs2 (3.1.7+dfsg1-3) unstable; urgency=low
 
   * Add backported upstream patch 27-imaptls-more-than-one-email. Using IMAPTLS
     will purge all e-mails, if more than one is located in the inbox. This is
     because of newer Mail::IMAPClient module versions return an array reference
-    insteaf of an array on the ->message action.
+    instead of an array on the ->message action.
 
  -- Patrick Matthäi <pmatth...@debian.org>  Mon, 30 Jul 2012 09:53:24 +0200
 
diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/control 
branches/wheezy/debian/control
--- tags/3.1.7+dfsg1-3/debian/control   2012-07-30 10:01:45.000000000 +0200
+++ branches/wheezy/debian/control      2012-08-22 18:48:03.458134088 +0200
@@ -47,6 +47,7 @@
  ttf-dejavu-extra,
  ttf-dejavu-core,
  libyaml-perl,
+ libmail-imapclient-perl (>= 3.31),
  libjson-perl
 Recommends: postgresql | mysql-server,
  procmail | maildrop,
@@ -55,7 +56,6 @@
 Suggests: otrs2-doc-en | otrs2-doc-de,
  libnet-ldap-perl,
  libjson-xs-perl,
- libmail-imapclient-perl,
  libnet-smtp-tls-butmaintained-perl,
  libtext-csv-xs-perl,
  libencode-hanextra-perl
diff -Naur '--exclude=.svn' 
tags/3.1.7+dfsg1-3/debian/patches/28-osa-2012-01-ie-xss.diff 
branches/wheezy/debian/patches/28-osa-2012-01-ie-xss.diff
--- tags/3.1.7+dfsg1-3/debian/patches/28-osa-2012-01-ie-xss.diff        
1970-01-01 01:00:00.000000000 +0100
+++ branches/wheezy/debian/patches/28-osa-2012-01-ie-xss.diff   2012-08-22 
18:44:14.328005878 +0200
@@ -0,0 +1,70 @@
+# Upstream advisory 2012-01:
+# This advisory covers vulnerabilities discovered in the OTRS core system. Due
+# to the XSS vulnerability in Internet Explorer an attacker could send a
+# specially prepared HTML email to OTRS which would cause JavaScript code to be
+# executed in your Internet Explorer while displaying the email.
+
+diff -Naur 
otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl 
otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl     
2012-06-21 13:40:05.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/AgentTicketZoom.dtl  
2012-08-22 18:38:22.676743135 +0200
+@@ -2,7 +2,7 @@
+ # AgentTicketZoom.dtl - provides HTML for AgentTicketZoom.pm
+ # Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
+ # --
+-# $Id: AgentTicketZoom.dtl,v 1.207.2.2 2012/06/11 08:20:01 mg Exp $
++# $Id: AgentTicketZoom.dtl,v 1.207.2.4 2012/08/17 08:52:41 mg Exp $
+ # --
+ # This software comes with ABSOLUTELY NO WARRANTY. For details, see
+ # the enclosed file COPYING for license information (AGPL). If you
+@@ -177,7 +177,11 @@
+ <!-- dtl:block:TotalAccountedTime -->
+ <!-- dtl:block:PendingUntil -->
+                         <label>$Text{"Pending till"}:</label>
+-                        <p class="Value 
$QData{"PendingUntilClass"}">$Data{"PendingUntil"}</p>
++                        <p class="Value $QData{"PendingUntilClass"}">
++                            $Data{"PendingUntil"}
++                            <br/>
++                            $TimeShort{"$QData{"UntilTimeHuman"}"}
++                        </p>
+                         <div class="Clear"></div>
+ <!-- dtl:block:PendingUntil -->
+ <!-- dtl:block:Owner -->
+@@ -628,7 +632,9 @@
+ <!-- dtl:block:BodyHTML -->
+                 <div>
+ # execute IFrame JS asynchronously. Otherwise it could happen before our API 
was loaded
+-                    <iframe width="100%" frameborder="0" 
id="Iframe$QData{"ArticleID"}" onload="window.setTimeout( function (){ if 
(typeof Core === 'object' && typeof Core.Agent === 'object' && typeof 
Core.Agent.TicketZoom === 'object') { 
Core.Agent.TicketZoom.IframeAutoHeight($('#Iframe$QData{"ArticleID"}')); } }, 
500);" 
src="$Env{"Baselink"}Action=AgentTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"}"></iframe>
++# Use the HTML5 sandbox attribute to prevent plugins and scripts from being 
executed in the browser.
++# Use IE's (non-standard) security attribute to achieve something similar in 
older IE browsers. Append session info to URL because IE will not send cookies.
++                    <iframe sandbox="allow-same-origin" security="restricted" 
width="100%" frameborder="0" id="Iframe$QData{"ArticleID"}" 
onload="window.setTimeout( function (){ if (typeof Core === 'object' && typeof 
Core.Agent === 'object' && typeof Core.Agent.TicketZoom === 'object') { 
Core.Agent.TicketZoom.IframeAutoHeight($('#Iframe$QData{"ArticleID"}')); } }, 
500);" 
src="$Env{"Baselink"}Action=AgentTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe>
+                 </div>
+ <!-- dtl:block:BodyHTML -->
+             </div>
+diff -Naur 
otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl 
otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl
+--- otrs2-3.1.7+dfsg1.orig/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl  
2012-05-31 11:17:27.000000000 +0200
++++ otrs2-3.1.7+dfsg1/Kernel/Output/HTML/Standard/CustomerTicketZoom.dtl       
2012-08-22 18:38:30.552816289 +0200
+@@ -2,7 +2,7 @@
+ # CustomerTicketZoom.dtl - provides HTML TicketZoom for CustomerTicketZoom.pm
+ # Copyright (C) 2001-2012 OTRS AG, http://otrs.org/
+ # --
+-# $Id: CustomerTicketZoom.dtl,v 1.116.2.1 2012/05/30 16:20:22 mg Exp $
++# $Id: CustomerTicketZoom.dtl,v 1.116.2.2 2012/08/17 08:52:41 mg Exp $
+ # --
+ # This software comes with ABSOLUTELY NO WARRANTY. For details, see
+ # the enclosed file COPYING for license information (AGPL). If you
+@@ -170,11 +170,13 @@
+                             </div>
+ <!-- dtl:block:BodyPlain -->
+ <!-- dtl:block:BodyHTMLLoad -->
+-                            <iframe title="about:blank" frameborder="0" 
id="VisibleFrame" 
src="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"}"></iframe>
++# Use the HTML5 sandbox attribute to prevent plugins and scripts from being 
executed in the browser.
++# Use IE's (non-standard) security attribute to achieve something similar in 
older IE browsers. Append session info to URL because IE will not send cookies.
++                            <iframe sandbox="allow-same-origin" 
security="restricted" title="about:blank" frameborder="0" id="VisibleFrame" 
src="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe>
+ <!-- dtl:block:BodyHTMLLoad -->
+ <!-- dtl:block:BodyHTMLPlaceholder -->
+ #                           <!-- Here we need to append the session info if 
cookies are disabled, because the layout object cannot automatically do that 
here, like in the other iframe (only for src attribute). -->
+-                            <iframe src="about:blank" frameborder="0" 
title="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QData{"SessionInformation"}"></iframe>
++                            <iframe sandbox="allow-same-origin" 
security="restricted" src="about:blank" frameborder="0" 
title="$Env{"Baselink"}Action=CustomerTicketAttachment;Subaction=HTMLView;ArticleID=$QData{"ArticleID"};FileID=$QData{"AttachmentIDOfHTMLBody"};$QData{"SessionInformation"};$QEnv{"SessionName"}=$QEnv{"SessionID"}"></iframe>
+ <!-- dtl:block:BodyHTMLPlaceholder -->
+                         </div>
+                     </div>
diff -Naur '--exclude=.svn' tags/3.1.7+dfsg1-3/debian/patches/series 
branches/wheezy/debian/patches/series
--- tags/3.1.7+dfsg1-3/debian/patches/series    2012-07-30 10:01:45.000000000 
+0200
+++ branches/wheezy/debian/patches/series       2012-08-22 18:44:25.108105907 
+0200
@@ -15,3 +15,4 @@
 25-use-locale-country.diff
 26-font-paths.diff
 27-imaptls-more-than-one-email.diff
+28-osa-2012-01-ie-xss.diff

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash


--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20120822165905.29505.34868.report...@srv1.linux-dev.org

Reply via email to