Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package otrs2 This is another security update, description follows in diff: diff -Naur '--exclude=.svn' 3.1.7+dfsg1-5/debian/changelog 3.1.7+dfsg1-6/debian/changelog --- 3.1.7+dfsg1-5/debian/changelog 2012-08-28 21:48:05.009944927 +0200 +++ 3.1.7+dfsg1-6/debian/changelog 2012-10-16 11:14:16.498983306 +0200 @@ -1,3 +1,11 @@ +otrs2 (3.1.7+dfsg1-6) unstable; urgency=medium + + * Add upstream patch 30-osa-2012-03-js-xss to improve HTML security, where a + special prepared HTML e-mail could cause to execute JavaScript code within + your browser, as described in OSA-2012-03 and CVE-2012-4751. + + -- Patrick Matthäi <pmatth...@debian.org> Tue, 16 Oct 2012 11:10:43 +0200 + otrs2 (3.1.7+dfsg1-5) unstable; urgency=medium * Add upstream patch 29-security-tag-nesting to improve HTML security to diff -Naur '--exclude=.svn' 3.1.7+dfsg1-5/debian/patches/30-osa-2012-03-js-xss.diff 3.1.7+dfsg1-6/debian/patches/30-osa-2012-03-js-xss.diff --- 3.1.7+dfsg1-5/debian/patches/30-osa-2012-03-js-xss.diff 1970-01-01 01:00:00.000000000 +0100 +++ 3.1.7+dfsg1-6/debian/patches/30-osa-2012-03-js-xss.diff 2012-10-16 11:14:16.498983306 +0200 @@ -0,0 +1,37 @@ +# Upstream advisory 2012-03: +# This advisory covers vulnerabilities discovered in the OTRS core system. This +# is a variance of the XSS vulnerability, where an attacker could send a +# specially prepared HTML email to OTRS which would cause JavaScript code to be +# executed in your browser while displaying the email. In this case this is +# achieved by using javascript source attributes with whitespaces. +# This fixes CVE-2012-4751. + +diff -Naur otrs2-3.1.7+dfsg1.orig/Kernel/System/HTMLUtils.pm otrs2-3.1.7+dfsg1/Kernel/System/HTMLUtils.pm +--- otrs2-3.1.7+dfsg1.orig/Kernel/System/HTMLUtils.pm 2012-10-16 11:00:00.000000000 +0200 ++++ otrs2-3.1.7+dfsg1/Kernel/System/HTMLUtils.pm 2012-10-16 11:03:17.189097532 +0200 +@@ -1024,10 +1024,14 @@ + + # remove javascript in a href links or src links + $Replaced += $Tag =~ s{ +- ((\s|;)(background|url|src|href)=)('|"|)(javascript.+?)('|"|)(\s|$TagEnd) ++ ((?:\s|;)(?:background|url|src|href)=) ++ ('|"|) # delimiter, can be empty ++ (?:\s*javascript.*?) # javascript, followed by anything but the delimiter ++ \2 # delimiter again ++ (\s|$TagEnd) + } + { +- "$1\"\"$7"; ++ "$1\"\"$3"; + }sgxime; + + # remove link javascript tags +@@ -1038,7 +1042,7 @@ + + # remove MS CSS expressions (JavaScript embedded in CSS) + $Replaced += $Tag =~ s{ +- \sstyle=("|')[^\1]*?expression[(][^\1]*?\1($TagEnd|\s) ++ \sstyle=("|')[^\1]*?expression[(].*?\1($TagEnd|\s) + } + { + $2; diff -Naur '--exclude=.svn' 3.1.7+dfsg1-5/debian/patches/series 3.1.7+dfsg1-6/debian/patches/series --- 3.1.7+dfsg1-5/debian/patches/series 2012-08-28 21:48:05.009944927 +0200 +++ 3.1.7+dfsg1-6/debian/patches/series 2012-10-16 11:14:16.498983306 +0200 @@ -17,3 +17,4 @@ 27-imaptls-more-than-one-email.diff 28-osa-2012-01-ie-xss.diff 29-security-tag-nesting.diff +30-osa-2012-03-js-xss.diff unblock otrs2/3.1.7+dfsg1-6 -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121016092836.28440.70327.report...@srv1.linux-dev.org