Control: found -1 2014.1.3-1 Hi Salvatore,
On Wed, Jun 10, 2015 at 7:37 AM, Salvatore Bonaccorso <car...@debian.org> wrote: > Source: horizon > Version: 2015.1.0-1 > Severity: important > Tags: security upstream fixed-upstream [...] > CVE-2015-3219[0]: > XSS in Horizon Heat stack creation [...] > Please adjust the affected versions in the BTS as needed. Just checked. The Wheezy version doesn't contain the vulnerable code segment, but the Jessie version does. Mark the bug accordingly. In case you may accept, I attach a debdiff for Jessie. Regards, Laszlo/GCS
diff -Nru horizon-2014.1.3/debian/changelog horizon-2014.1.3/debian/changelog --- horizon-2014.1.3/debian/changelog 2015-01-21 15:47:35.000000000 +0100 +++ horizon-2014.1.3/debian/changelog 2015-06-10 08:27:18.000000000 +0200 @@ -1,3 +1,9 @@ +horizon (2014.1.3-7+deb8u1) jessie-security; urgency=high + + * Fix CVE-2015-3219 with upstream patch. + + -- Laszlo Boszormenyi (GCS) <g...@debian.org> Wed, 10 Jun 2015 08:25:45 +0200 + horizon (2014.1.3-7) unstable; urgency=medium * Fix Moscow timezone check and avoid FTBFS (Closes: #775636). diff -Nru horizon-2014.1.3/debian/patches/CVE-2015-3219_XSS_in_Horizon_Heat_stack_creation.patch horizon-2014.1.3/debian/patches/CVE-2015-3219_XSS_in_Horizon_Heat_stack_creation.patch --- horizon-2014.1.3/debian/patches/CVE-2015-3219_XSS_in_Horizon_Heat_stack_creation.patch 1970-01-01 01:00:00.000000000 +0100 +++ horizon-2014.1.3/debian/patches/CVE-2015-3219_XSS_in_Horizon_Heat_stack_creation.patch 2015-06-10 08:50:49.000000000 +0200 @@ -0,0 +1,36 @@ +Description: Escape the description param from heat template + The heat template allows user to define custom parameters, + the fields are then converted to input fields. The description + param maps to the help_text attribute of the field. + . + Since the value comes from the user, the value must be escaped + before rendering. +Origin: upstream, https://review.openstack.org/#/c/189821/ +Bug: https://bugs.launchpad.net/horizon/+bug/1453074 +Bug-Debian: https://bugs.debian.org/788306 +Forwarded: not-needed +Author: Lin Hua Cheng <os.lch...@gmail.com> +Reviewed-By: David Lyle <david.l...@intel.com> +Last-Update: 2015-06-09 + +--- + +--- horizon-2014.1.3.orig/openstack_dashboard/dashboards/project/stacks/forms.py ++++ horizon-2014.1.3/openstack_dashboard/dashboards/project/stacks/forms.py +@@ -15,6 +15,7 @@ + import json + import logging + ++from django.utils import html + from django.utils.translation import ugettext_lazy as _ + from django.views.decorators.debug import sensitive_variables # noqa + +@@ -307,7 +308,7 @@ class CreateStackForm(forms.SelfHandling + field_args = { + 'initial': param.get('Default', None), + 'label': param_key, +- 'help_text': param.get('Description', ''), ++ 'help_text': html.escape(param.get('Description', '')), + 'required': param.get('Default', None) is None + } + diff -Nru horizon-2014.1.3/debian/patches/series horizon-2014.1.3/debian/patches/series --- horizon-2014.1.3/debian/patches/series 2015-01-21 15:47:35.000000000 +0100 +++ horizon-2014.1.3/debian/patches/series 2015-06-10 08:47:54.000000000 +0200 @@ -8,3 +8,4 @@ Update_WSGI_app_creation_to_be_compatible_with_Django_1.7.patch CVE-2014-8124_Horizon_login_page_contains_DOS_attack_mechanism_icehouse_.patch fix-moscow-tz-test.patch +CVE-2015-3219_XSS_in_Horizon_Heat_stack_creation.patch
