[sorry for the delay, my internet connection is sketchy these days] * Moritz Muehlenhoff [2006-01-26 10:57:53+0100] > Florian, thanks a lot for sorting this out! > I'll prepare the DSA; Recai, what cosmetic fixes do you intent > to do? A security upload's changes you be strictly limited to the > security issues.
Only changes in debian/changelog (adopt my changelog style).
> Can you send me the debdiff between the Sarge version and your proposed
> upload to the security queue or the proposed update itself?
Debdiff is attached. You can reach the proposed update at the following
uri:
http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1.diff.gz
http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1.dsc
http://people.debian.org/~roktas/packages/elog_2.5.7+r1558-4+sarge1_i386.deb
And here is the relevant changelog entry for your inspection:
elog (2.5.7+r1558-4+sarge1) stable-security; urgency=high
* Major security update (big thanks to Florian Weimer)
+ Backport r1333 from upstream's Subversion repository:
"Fixed crashes with very long (revisions) attributes"
+ Backport r1335 from upstream's Subversion repository:
"Applied patch from Emiliano to fix possible buffer overflow"
+ Backport r1472 from upstream's Subversion repository:
"Do not distinguish between invalid user name and invalid password
for security reasons"
+ Backport r1487 from upstream's Subversion repository:
"Fixed infinite redirection with ?fail=1"
+ Backport r1529 from upstream's Subversion repository:
"Fixed bug with fprintf and buffer containing "%""
[Our patch just eliminates the format string vulnerability.]
+ Backport r1620 from upstream's Subversion repository:
"Prohibit '..' in URLs" [CVE-2006-0347]
+ Backport r1635 from upstream's Subversion repository:
"Fixed potential buffer overflows" [CVE-2005-4439]
+ Backport r1636 from upstream's Subversion repository:
"Added IP address to log file"
* Florian Weimer [2006-01-26 13:41:53+0100]
> So far, the patch for CVE-2006-0347 was missing. A tentative backport
> of the upstream fix is included below. I dropped the hunk which dealt
> with "scripts" support because this functionality is not present in
> the sarge version.
>
> The changelog entry should look like this:
>
> Backport revision 1620 from upstream Subversion repository:
> "Prohibit '..' in URLs" [CVE-2006-0347]
Hmm, I should have checked the CVE database for other issues. Thanks for
doing it on behalf of me. I have applied the above patch and tested it for
a failure case explained in Elog forums:
http://midas.psi.ch/elogs/Forum/1615
It seems fine here (Elog returns an "Invalid URL" message).
Regards,
--
roktas
elog_2.5.7+r1558-3_2.5.7+r1558-4+sarge1.debdiff.gz
Description: Binary data
signature.asc
Description: Digital signature
