Re: Stable update of dajaxice
On Sunday 27 February 2011 15:49:28 Angel Abad wrote: Please upload the package to security-master then. Note that you need to change the target in the changelog and build the package with full source (-sa flag). Full checklist of packages for security-master is here: http://www.debian.org/doc/developers-reference/pkgs.html#bug-security-bui lding The security team will then take care of releasing it through security-master. Uploaded, I don't see it, where did you upload to? Thijs -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201102271601.54177.th...@debian.org
Re: Stable update of dajaxice
2011/2/26 Thijs Kinkhorst th...@debian.org: Hi Angel, On Thursday 24 February 2011 12:27:21 Angel Abad wrote: 2011/2/24 Adam D. Barratt a...@adam-barratt.org.uk: Hi, On Thu, February 24, 2011 10:16, Angel Abad wrote: I've prepared an upload to stable for package dajaxice, since python-django was patched for problems related with crsf cookies, dajaxice is unusable in squeeze. Was this issue introduced as a side-effect of the changes in DSA-2163-1, specifically those marked as backwardly-incompatible? If so then it would be good if this could also be fixed via the security archive, as the regression was introduced in a security update (albeit in a different package); I've CCed the security team for comment. Yes, you are right is a side-effect of DSA-2163-1 - CVE-2011-0696 Please upload the package to security-master then. Note that you need to change the target in the changelog and build the package with full source (-sa flag). Full checklist of packages for security-master is here: http://www.debian.org/doc/developers-reference/pkgs.html#bug-security-building The security team will then take care of releasing it through security-master. Uploaded, Thanks for your help in my first security upload. Regards! Cheers, Thijs -- Angel Abad angela...@gmail.com | angela...@ubuntu.com | angela...@fsfe.org http://www.pastelero.net FPR: EBF6 080D 59D4 008A DF47 00D4 098D AE47 EE3B C279 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTim5EhGs+-OFjGds2BML79+goKy3xyrk2u...@mail.gmail.com
Re: Stable update of dajaxice
2011/2/27 Thijs Kinkhorst th...@debian.org: On Sunday 27 February 2011 15:49:28 Angel Abad wrote: Please upload the package to security-master then. Note that you need to change the target in the changelog and build the package with full source (-sa flag). Full checklist of packages for security-master is here: http://www.debian.org/doc/developers-reference/pkgs.html#bug-security-bui lding The security team will then take care of releasing it through security-master. Uploaded, I don't see it, where did you upload to? To security-master: root@goa:/tmp/aaa# dput security-master dajaxice_0.1.5-1+squeeze1_powerpc.changes Checking signature on .changes gpg: Signature made Sun Feb 27 14:43:31 2011 UTC using DSA key ID EE3BC279 gpg: Good signature from Angel Abad angela...@gmail.com gpg: aka Angel Abad (Indio) an...@sindominio.net gpg: aka Angel Abad angela...@ubuntu.com Good signature on /tmp/aaa/dajaxice_0.1.5-1+squeeze1_powerpc.changes. Checking signature on .dsc gpg: Signature made Sun Feb 27 14:43:29 2011 UTC using DSA key ID EE3BC279 gpg: Good signature from Angel Abad angela...@gmail.com gpg: aka Angel Abad (Indio) an...@sindominio.net gpg: aka Angel Abad angela...@ubuntu.com Good signature on /tmp/aaa/dajaxice_0.1.5-1+squeeze1.dsc. Package includes an .orig.tar.gz file although the debian revision suggests that it might not be required. Multiple uploads of the .orig.tar.gz may be rejected by the upload queue management software. Do NOT upload a package to the security upload queues without prior authorization from the security team. See the following URL for instructions: http://www.debian.org/doc/developers-reference/pkgs#bug-security Please enter really upload (without the quotes) to proceed with the upload. really upload Uploading to security-master (via ftp to security-master.debian.org): Uploading dajaxice_0.1.5-1+squeeze1.dsc: done. Uploading dajaxice_0.1.5.orig.tar.gz: done. Uploading dajaxice_0.1.5-1+squeeze1.debian.tar.gz: done. Uploading python-django-dajaxice_0.1.5-1+squeeze1_all.deb: done. Uploading dajaxice_0.1.5-1+squeeze1_powerpc.changes: done. Successfully uploaded packages. Regards, Thijs -- Angel Abad angela...@gmail.com | angela...@ubuntu.com | angela...@fsfe.org http://www.pastelero.net FPR: EBF6 080D 59D4 008A DF47 00D4 098D AE47 EE3B C279 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktiny8k5obj5iqcbnrm3j1g_ytjslh75tge40o...@mail.gmail.com
Re: Stable update of dajaxice
Hi Angel, On Thursday 24 February 2011 12:27:21 Angel Abad wrote: 2011/2/24 Adam D. Barratt a...@adam-barratt.org.uk: Hi, On Thu, February 24, 2011 10:16, Angel Abad wrote: I've prepared an upload to stable for package dajaxice, since python-django was patched for problems related with crsf cookies, dajaxice is unusable in squeeze. Was this issue introduced as a side-effect of the changes in DSA-2163-1, specifically those marked as backwardly-incompatible? If so then it would be good if this could also be fixed via the security archive, as the regression was introduced in a security update (albeit in a different package); I've CCed the security team for comment. Yes, you are right is a side-effect of DSA-2163-1 - CVE-2011-0696 Please upload the package to security-master then. Note that you need to change the target in the changelog and build the package with full source (-sa flag). Full checklist of packages for security-master is here: http://www.debian.org/doc/developers-reference/pkgs.html#bug-security-building The security team will then take care of releasing it through security-master. Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Stable update of dajaxice
I've prepared an upload to stable for package dajaxice, since python-django was patched for problems related with crsf cookies, dajaxice is unusable in squeeze. The pacth comes from upstream developer as you can see in Ubuntu bug. Any change for this to be accepted? -- Angel Abad angela...@ubuntu.com angela...@gmail.com $ diffstat dajaxice_0.1.5-1squeeze1.debdiff changelog |7 +++ patches/fix_csrf_verification | 42 ++ patches/series|1 + 3 files changed, 50 insertions(+) diff -Nru dajaxice-0.1.5/debian/changelog dajaxice-0.1.5/debian/changelog --- dajaxice-0.1.5/debian/changelog2010-07-11 13:17:35.0 + +++ dajaxice-0.1.5/debian/changelog2011-02-24 09:33:02.0 + @@ -1,3 +1,10 @@ +dajaxice (0.1.5-1squeeze1) stable; urgency=high + + * debian/patches/fix_csrf_verification: (Closes: #614787) +- Fix bug related to CSRF verification on Django + + -- Angel Abad angela...@gmail.com Thu, 24 Feb 2011 09:24:51 + + dajaxice (0.1.5-1) unstable; urgency=low * New upstream release diff -Nru dajaxice-0.1.5/debian/patches/fix_csrf_verification dajaxice-0.1.5/debian/patches/fix_csrf_verification --- dajaxice-0.1.5/debian/patches/fix_csrf_verification1970-01-01 00:00:00.0 + +++ dajaxice-0.1.5/debian/patches/fix_csrf_verification2011-02-24 09:30:43.0 + @@ -0,0 +1,42 @@ +Description: Fix bug related to CSRF verification on Django +Author: Jorge Bastida neo2...@gmail.com +From: Angel Abad angela...@ubuntu.com +Bug-Ubuntu: https://launchpad.net/bugs/723585 +Bug-Debian: http://bugs.debian.org/614787 + +diff --git a/dajaxice/templates/dajaxice/dajaxice.core.js b/dajaxice/templates/dajaxice/dajaxice.core.js +index f3f1926..a052d93 100644 +--- a/dajaxice/templates/dajaxice/dajaxice.core.js b/dajaxice/templates/dajaxice/dajaxice.core.js +@@ -3,6 +3,23 @@ var Dajaxice = { + {% include dajaxice/dajaxice_core_loop.js %} + {% endfor %}{% ifnotequal dajaxice_js_functions|length 0 %},{% endifnotequal %} + ++get_cookie: function(name) ++{ ++var cookieValue = null; ++if (document.cookie document.cookie != '') { ++var cookies = document.cookie.split(';'); ++for (var i = 0; i cookies.length; i++) { ++var cookie = cookies[i].toString().replace(/^\s+/, ).replace(/\s+$/, ); ++// Does this cookie string begin with the name we want? ++if (cookie.substring(0, name.length + 1) == (name + '=')) { ++cookieValue = decodeURIComponent(cookie.substring(name.length + 1)); ++break; ++} ++} ++} ++return cookieValue; ++}, ++ + call: function(dajaxice_function, dajaxice_callback, argv) + { + var send_data = []; +@@ -12,6 +29,7 @@ var Dajaxice = { + var oXMLHttpRequest = new XMLHttpRequest; + oXMLHttpRequest.open('POST', '/{{DAJAXICE_URL_PREFIX}}/'+dajaxice_function+'/'); + oXMLHttpRequest.setRequestHeader(X-Requested-With, XMLHttpRequest); ++ oXMLHttpRequest.setRequestHeader(X-CSRFToken,Dajaxice.get_cookie('csrftoken')); + oXMLHttpRequest.onreadystatechange = function() { + if (this.readyState == XMLHttpRequest.DONE) { + eval(this.responseText); diff -Nru dajaxice-0.1.5/debian/patches/series dajaxice-0.1.5/debian/patches/series --- dajaxice-0.1.5/debian/patches/series1970-01-01 00:00:00.0 + +++ dajaxice-0.1.5/debian/patches/series2011-02-24 09:30:43.0 + @@ -0,0 +1 @@ +fix_csrf_verification diff -Nru dajaxice-0.1.5/debian/changelog dajaxice-0.1.5/debian/changelog --- dajaxice-0.1.5/debian/changelog 2010-07-11 13:17:35.0 + +++ dajaxice-0.1.5/debian/changelog 2011-02-24 09:33:02.0 + @@ -1,3 +1,10 @@ +dajaxice (0.1.5-1squeeze1) stable; urgency=high + + * debian/patches/fix_csrf_verification: (Closes: #614787) +- Fix bug related to CSRF verification on Django + + -- Angel Abad angela...@gmail.com Thu, 24 Feb 2011 09:24:51 + + dajaxice (0.1.5-1) unstable; urgency=low * New upstream release diff -Nru dajaxice-0.1.5/debian/patches/fix_csrf_verification dajaxice-0.1.5/debian/patches/fix_csrf_verification --- dajaxice-0.1.5/debian/patches/fix_csrf_verification 1970-01-01 00:00:00.0 + +++ dajaxice-0.1.5/debian/patches/fix_csrf_verification 2011-02-24 09:30:43.0 + @@ -0,0 +1,42 @@ +Description: Fix bug related to CSRF verification on Django +Author: Jorge Bastida neo2...@gmail.com +From: Angel Abad angela...@ubuntu.com +Bug-Ubuntu: https://launchpad.net/bugs/723585 +Bug-Debian: http://bugs.debian.org/614787 + +diff --git a/dajaxice/templates/dajaxice/dajaxice.core.js b/dajaxice/templates/dajaxice/dajaxice.core.js +index f3f1926..a052d93 100644 +--- a/dajaxice/templates/dajaxice/dajaxice.core.js
Re: Stable update of dajaxice
Sorry for duplicate attachment. Thanks! signature.asc Description: OpenPGP digital signature
Re: Stable update of dajaxice
Hi, On Thu, February 24, 2011 10:16, Angel Abad wrote: I've prepared an upload to stable for package dajaxice, since python-django was patched for problems related with crsf cookies, dajaxice is unusable in squeeze. Was this issue introduced as a side-effect of the changes in DSA-2163-1, specifically those marked as backwardly-incompatible? If so then it would be good if this could also be fixed via the security archive, as the regression was introduced in a security update (albeit in a different package); I've CCed the security team for comment. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/67b70d29ecd84761b18e1d14ae57fac9.squir...@adsl.funkybadger.org
Re: Stable update of dajaxice
2011/2/24 Adam D. Barratt a...@adam-barratt.org.uk: Hi, On Thu, February 24, 2011 10:16, Angel Abad wrote: I've prepared an upload to stable for package dajaxice, since python-django was patched for problems related with crsf cookies, dajaxice is unusable in squeeze. Was this issue introduced as a side-effect of the changes in DSA-2163-1, specifically those marked as backwardly-incompatible? If so then it would be good if this could also be fixed via the security archive, as the regression was introduced in a security update (albeit in a different package); I've CCed the security team for comment. Yes, you are right is a side-effect of DSA-2163-1 - CVE-2011-0696 Regards, Regards, Adam -- Angel Abad angela...@gmail.com | angela...@ubuntu.com | angela...@fsfe.org http://www.pastelero.net FPR: EBF6 080D 59D4 008A DF47 00D4 098D AE47 EE3B C279 -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/AANLkTimsCHVy=WAUGqMWVNFx=qcqiyxebasgf-u6r...@mail.gmail.com