Sorry, forgot to attach the .debdiff... Upload to stable-updates comes in a minute.
Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
diff -Nru gosa-2.7.4/debian/changelog gosa-2.7.4/debian/changelog
--- gosa-2.7.4/debian/changelog 2013-07-12 17:10:09.000000000 +0200
+++ gosa-2.7.4/debian/changelog 2014-12-19 09:23:50.000000000 +0100
@@ -1,3 +1,24 @@
+gosa (2.7.4-4.3~deb7u2) stable-updates; urgency=medium
+
+ * debian/control:
+ + Update Maintainer: Debian Edu Packaging Team.
+ + Drop from Uploaders: Cajus Pollmeier (retired DD).
+ + Add to Uploaders: Mike Gabriel (current maintainer of gosa in
+ Debian unstable).
+ * debian/patches:
+ + Add 0003_xss-vulnerability-on-login-screen.patch. Fix XSS issue
+ during login. Picked from GOsa² upstream and from the gosa package
+ in Debian unstable.
+ + Add 1002_trim-decrypt.patch. Fix authentication of GOsa² against
+ the underlying LDAP server(s) via the gosa-admin DN. (Closes:
+ #768509). The issue has been fixed in Debian unstable a while back
+ (see Debian bug #748065) and currently only affects the gosa
+ package in Debian wheezy (a fix has recently been uploaded to
+ squeeze-lts). The bug is a regression caused by fixing DSA 3064-1
+ in php5
+
+ -- Mike Gabriel <sunwea...@debian.org> Fri, 19 Dec 2014 09:22:48 +0100
+
gosa (2.7.4-4.3~deb7u1) stable-updates; urgency=low
* Upload to stable updates.
diff -Nru gosa-2.7.4/debian/control gosa-2.7.4/debian/control
--- gosa-2.7.4/debian/control 2012-06-19 10:04:53.000000000 +0200
+++ gosa-2.7.4/debian/control 2014-12-19 09:17:45.000000000 +0100
@@ -1,8 +1,8 @@
Source: gosa
Section: web
Priority: optional
-Maintainer: GOsa packages maintainers group <gosa-...@oss.gonicus.de>
-Uploaders: Cajus Pollmeier <ca...@debian.org>
+Maintainer: Debian Edu Packaging Team <debian-edu-pkg-t...@lists.alioth.debian.org>
+Uploaders: Mike Gabriel <sunwea...@debian.org>
Build-Depends: debhelper (>= 7.0.50~)
Build-Depends-Indep: po-debconf
Standards-Version: 3.9.3
diff -Nru gosa-2.7.4/debian/patches/0003_xss-vulnerability-on-login-screen.patch gosa-2.7.4/debian/patches/0003_xss-vulnerability-on-login-screen.patch
--- gosa-2.7.4/debian/patches/0003_xss-vulnerability-on-login-screen.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4/debian/patches/0003_xss-vulnerability-on-login-screen.patch 2014-08-12 16:40:22.000000000 +0200
@@ -0,0 +1,14 @@
+Description: Escape html entities to fix xss at the login screen
+Author: Benjamin Zapiec
+
+Index: gosa-core/html/index.php
+===================================================================
+--- a/gosa-core/html/index.php (revision 21273)
++++ b/gosa-core/html/index.php (revision 21276)
+@@ -389,5 +389,5 @@
+ /* Fill template with required values */
+ $smarty->assign ('date', gmdate("D, d M Y H:i:s"));
+-$smarty->assign ('username', $username);
++$smarty->assign ('username', set_post($username));
+ $smarty->assign ('personal_img', get_template_path('images/login-head.png'));
+ $smarty->assign ('password_img', get_template_path('images/password.png'));
diff -Nru gosa-2.7.4/debian/patches/1002_trim-decrypt.patch gosa-2.7.4/debian/patches/1002_trim-decrypt.patch
--- gosa-2.7.4/debian/patches/1002_trim-decrypt.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4/debian/patches/1002_trim-decrypt.patch 2014-08-12 16:47:45.000000000 +0200
@@ -0,0 +1,29 @@
+Author: Andreas B. Mundt <andi.mu...@web.de>
+Description: Decryption of LDAP password fails (encrypted with gosa-encrypt-passwords)
+Abstract:
+ The decryption of the LDAP password (which has been encrypted by
+ gosa-encrypt-passwords) seems to fail.
+ .
+ When trying to login at the GOsa web interface, an error regarding the
+ LDAP connection happens ('Error while connecting to LDAP: Could not
+ bind to ... ').
+ .
+ After copying gosa.conf.orig to gosa.conf (with read permissions for
+ group www-data), things work again as expected.
+ .
+ So the decryption of the LDAP password which has been encrypted by
+ running gosa-encrypt-passwords does not seem to work.
+
+Index: gosa-core/include/functions.inc
+===================================================================
+--- a/gosa-core/include/functions.inc
++++ b/gosa-core/include/functions.inc
+@@ -3334,7 +3334,7 @@ function cred_decrypt($input,$password)
+ $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
+ $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
+
+- return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv);
++ return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv), "\0\3\4\n");
+ }
+
+
diff -Nru gosa-2.7.4/debian/patches/series gosa-2.7.4/debian/patches/series
--- gosa-2.7.4/debian/patches/series 2013-06-08 18:58:37.000000000 +0200
+++ gosa-2.7.4/debian/patches/series 2014-12-19 09:16:46.000000000 +0100
@@ -6,3 +6,5 @@
04_fix_locale_location.patch
no-image-warning.patch
fix-mass-ldapimport.patch
+0003_xss-vulnerability-on-login-screen.patch
+1002_trim-decrypt.patch
pgpkhELGC0E1E.pgp
Description: Digitale PGP-Signatur
