Package: roundup
Version: 1.2.1-5+etch1
Severity: grave
Tags: patch
Justification: renders package unusable
Hi
The recent security update into etch, 1.2.1-5+etch1 breaks the page
rendering (templating) of roundup making all the trackers it runs
useless. For the benefit of search engines, here the last part of the
traceback:
[...]
File "<string>", line 2, in f
File "/usr/lib/python2.4/site-packages/roundup/cgi/templating.py", line 1200,
in __str__
return self.plain()
File "/usr/lib/python2.4/site-packages/roundup/cgi/templating.py", line 1760,
in plain
if escape:
NameError: global name 'escape' is not defined
Comparing the code of templating.py with the previous version makes the
fix obvious luckily. In templating.py on line 2698 change:
def plain(self):
back into:
def plain(self, escape=0):
Note that I didn't cross-check the CVE (it mentions escaping user input
in #472643) so maybe defaulting to the old '0' is not correct and it
should be '1' to fix the CVE. I don't know that much about it, all I
know is that I want a working system (and since it's internal I trust
my users...)
Regards
Floris
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages roundup depends on:
ii python 2.4.4-2 An interactive high-level object-o
ii python-central 0.5.12 register and build utility for Pyt
roundup recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
