Applied to master and stable/2.1, stable/2.0 and included in the releases. Regards, Daniel
Daniel Axtens <d...@axtens.net> writes: > Signed-off-by: Daniel Axtens <d...@axtens.net> > --- > .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml | 11 +++++++++++ > 1 file changed, 11 insertions(+) > create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml > > diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml > b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml > new file mode 100644 > index 000000000000..48afac0509bb > --- /dev/null > +++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml > @@ -0,0 +1,11 @@ > +--- > +fixes: > + - | > + CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS > + via the message-id field. A malicious user could send a patch with > + a message ID that included a script tag. Because of the quirks of > + the email RFCs, such a message ID can survive being sent through > + many mail systems, including Gmail, and be parsed and stored by > + Patchwork. When a user viewed a patch detail page for the patch > + with this message id, the script would be run. This is fixed by > + properly escaping the field before it is rendered. > \ No newline at end of file > -- > 2.20.1 _______________________________________________ Patchwork mailing list Patchwork@lists.ozlabs.org https://lists.ozlabs.org/listinfo/patchwork
