Signed-off-by: Daniel Axtens <d...@axtens.net> --- .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml new file mode 100644 index 000000000000..48afac0509bb --- /dev/null +++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml @@ -0,0 +1,11 @@ +--- +fixes: + - | + CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS + via the message-id field. A malicious user could send a patch with + a message ID that included a script tag. Because of the quirks of + the email RFCs, such a message ID can survive being sent through + many mail systems, including Gmail, and be parsed and stored by + Patchwork. When a user viewed a patch detail page for the patch + with this message id, the script would be run. This is fixed by + properly escaping the field before it is rendered. \ No newline at end of file -- 2.20.1 _______________________________________________ Patchwork mailing list Patchwork@lists.ozlabs.org https://lists.ozlabs.org/listinfo/patchwork
