On 06/10/2015 12:23 PM, László Böszörményi (GCS) wrote: > On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso > <car...@debian.org> wrote: >> On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote: >>> Just checked. The Wheezy version doesn't contain the vulnerable code >>> segment, but the Jessie version does. Mark the bug accordingly. >>> In case you may accept, I attach a debdiff for Jessie. >> >> Thanks for the quick followups. Am I right that jessie though is not >> affected due to >> https://bugs.launchpad.net/horizon/+bug/1453074/comments/13 >> >> The field help_text is always escaped already. >> >> Is that right? > I think the correct answer would be 'it depends'. If you check the > presentation layer when that text used as-is, then yes, it's escaped > there already. On the other hand that text may be used in the code for > addition to other variables that may not be escaped for the > presentation tier. Then the user may have customized his/her > installation that use the mentioned text without escaping. Last but > not least some plugin or other software may also use that text without > filtering. If I think these cases then OpenStack may be vulnerable in > other places that can be harder (but not impossible) to take advantage > of this CVE. > In short, the comment you mention emphasize this: "Juno - ASSUME that > help text is always safe:" (ie, not 100% sure). That can be the reason > upstream has an update for Juno which was merged[1]: > Branch stable/juno > Status Merged > > I say it's better to be more safe and may escape that string twice > than have a risk of a vulnerability remain in some use cases. But of > course, you are in the position to choose if a DSA is issued or not.
Hi again, FYI, I uploaded to Sid: horizon_2015.1.0+2015.06.09.git15.e63af6c598-1 To Jessie backports: horizon_2015.1.0+2015.06.09.git15.e63af6c598-1~bpo8+1 and as for Jessie, as per Laszlo patch, its: horizon_2014.1.3-7+deb8u1 So the Sid and Jessie backports are including the last 15 commits since the stable release (which are non-security bugfixes). I'll do like this from now on, as it's a way more easy for me to do so, and because upstream is currently questioning doing point releases all together. I don't really mind the DSA, but I would prefer the patch to reach Jessie through the (faster) security updates. Cheers, Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
