CVE-2017-7400: XSS in federation mappings UI
* Revert bump of debhelper version. * CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch: Remove dangerous safestring declaration (Closes: #859559). * Updated Italian translation of debconf messages (Closes: #846931). Change-Id: I0f9f5deb16e38198d26299b7c3282214084e9962
This commit is contained in:
parent
3c03e6b79b
commit
8e91b43737
|
@ -1,12 +1,14 @@
|
|||
horizon (3:10.0.1-1) UNRELEASED; urgency=medium
|
||||
|
||||
[ Ondřej Nový ]
|
||||
* Bumped debhelper compat version to 10
|
||||
horizon (3:10.0.1-1) unstable; urgency=high
|
||||
|
||||
[ Ivan Udovichenko ]
|
||||
* Sync to the latest version from stable/newton.
|
||||
|
||||
-- Ivan Udovichenko <iudovichenko@mirantis.com> Fri, 30 Dec 2016 17:07:41 +0200
|
||||
[ Thomas Goirand ]
|
||||
* CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch:
|
||||
Remove dangerous safestring declaration (Closes: #859559).
|
||||
* Updated Italian translation of debconf messages (Closes: #846931).
|
||||
|
||||
-- Thomas Goirand <zigo@debian.org> Tue, 04 Apr 2017 23:47:20 +0200
|
||||
|
||||
horizon (3:10.0.0-2) unstable; urgency=medium
|
||||
|
||||
|
|
|
@ -1 +1 @@
|
|||
10
|
||||
9
|
||||
|
|
|
@ -4,7 +4,7 @@ Priority: extra
|
|||
Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
|
||||
Uploaders: Thomas Goirand <zigo@debian.org>,
|
||||
Ivan Udovichenko <iudovichenko@mirantis.com>,
|
||||
Build-Depends: debhelper (>= 10),
|
||||
Build-Depends: debhelper (>= 9),
|
||||
dh-python,
|
||||
openstack-pkg-tools,
|
||||
po-debconf,
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
Description: CVE-2017-7400: Remove dangerous safestring declaration
|
||||
From: Richard Jones <r1chardj0n3s@gmail.com>
|
||||
Date: Tue, 7 Mar 2017 05:55:39 +0000 (+1100)
|
||||
X-Git-Tag: 10.0.3^2
|
||||
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=511b325b45b6bd7a88bb6df1a4639b80d0121277
|
||||
This declaration allows XSS content through the JSON and
|
||||
is unnecessary for correct rendering of the content anyway.
|
||||
Change-Id: I82355b37108609ae573237424e528aab86a24efc
|
||||
Bug-Ubuntu: https://bugs.launchpad.net/horizon/+bug/1667086
|
||||
Bug-Debian: https://bugs.debian.org/859559
|
||||
Origin: https://review.openstack.org/#/c/442454/
|
||||
Last-Update: 2017-04-04
|
||||
|
||||
diff --git a/openstack_dashboard/dashboards/identity/mappings/tables.py b/openstack_dashboard/dashboards/identity/mappings/tables.py
|
||||
index df6e8f3..9c22285 100644
|
||||
--- a/openstack_dashboard/dashboards/identity/mappings/tables.py
|
||||
+++ b/openstack_dashboard/dashboards/identity/mappings/tables.py
|
||||
@@ -14,7 +14,6 @@
|
||||
|
||||
import json
|
||||
|
||||
-from django.utils import safestring
|
||||
from django.utils.translation import ugettext_lazy as _
|
||||
from django.utils.translation import ungettext_lazy
|
||||
|
||||
@@ -75,7 +74,7 @@ def get_rules_as_json(mapping):
|
||||
rules = getattr(mapping, 'rules', None)
|
||||
if rules:
|
||||
rules = json.dumps(rules, indent=4)
|
||||
- return safestring.mark_safe(rules)
|
||||
+ return rules
|
||||
|
||||
|
||||
class MappingsTable(tables.DataTable):
|
|
@ -2,3 +2,4 @@ fix-dashboard-django-wsgi.patch
|
|||
fix-dashboard-manage.patch
|
||||
fixed-horizon-MANIFEST.in.patch
|
||||
stores-SECRET_KEY-in-tmp-folder-for-tests.patch
|
||||
CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
# Italian translation of horizon's debconf messages.
|
||||
# Copyright (C) 2013, horizon package copyright holder
|
||||
# Copyright (C) 2016, horizon package copyright holder
|
||||
# This file is distributed under the same license as the horizon package.
|
||||
# Beatrice Torracca <beatricet@libero.it>, 2013.
|
||||
# Beatrice Torracca <beatricet@libero.it>, 2013, 2016.
|
||||
msgid ""
|
||||
msgstr ""
|
||||
"Project-Id-Version: horizon\n"
|
||||
"Report-Msgid-Bugs-To: horizon@packages.debian.org\n"
|
||||
"POT-Creation-Date: 2015-09-22 13:31+0000\n"
|
||||
"PO-Revision-Date: 2013-10-19 18:48+0200\n"
|
||||
"PO-Revision-Date: 2016-08-01 17:05+0200\n"
|
||||
"Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
|
||||
"Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
|
||||
"Language: it\n"
|
||||
|
@ -40,6 +40,8 @@ msgid ""
|
|||
"If this option is not selected, Horizon will be installed using /horizon "
|
||||
"instead of the webroot."
|
||||
msgstr ""
|
||||
"Se questa opzione non viene selezionata Horizon verrà installato usando /"
|
||||
"horizon invece di webroot."
|
||||
|
||||
#. Type: boolean
|
||||
#. Description
|
||||
|
|
Loading…
Reference in New Issue