CVE-2017-7400: XSS in federation mappings UI

* Revert bump of debhelper version. * CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch: Remove dangerous safestring declaration (Closes: #859559). * Updated Italian translation of debconf messages (Closes: #846931). Change-Id: I0f9f5deb16e38198d26299b7c3282214084e9962
2017-04-04 23:42:35 +02:00 · 2017-04-04 23:42:35 +02:00 · 8e91b43737
parent 3c03e6b79b
commit 8e91b43737
6 changed files with 49 additions and 10 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,12 +1,14 @@
-horizon (3:10.0.1-1) UNRELEASED; urgency=medium
-
-  [ Ondřej Nový ]
-  * Bumped debhelper compat version to 10
+horizon (3:10.0.1-1) unstable; urgency=high

  [ Ivan Udovichenko ]
  * Sync to the latest version from stable/newton.

- -- Ivan Udovichenko <iudovichenko@mirantis.com>  Fri, 30 Dec 2016 17:07:41 +0200
+  [ Thomas Goirand ]
+  * CVE-2017-7400: XSS in federation mappings UI. Applied upstream patch:
+    Remove dangerous safestring declaration (Closes: #859559).
+  * Updated Italian translation of debconf messages (Closes: #846931).
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 04 Apr 2017 23:47:20 +0200

 horizon (3:10.0.0-2) unstable; urgency=medium

--- a/debian/compat
+++ b/debian/compat
@ -1 +1 @@
-10
+9
--- a/debian/control
+++ b/debian/control
@ -4,7 +4,7 @@ Priority: extra
 Maintainer: PKG OpenStack <openstack-devel@lists.alioth.debian.org>
 Uploaders: Thomas Goirand <zigo@debian.org>,
           Ivan Udovichenko <iudovichenko@mirantis.com>,
-Build-Depends: debhelper (>= 10),
+Build-Depends: debhelper (>= 9),
               dh-python,
               openstack-pkg-tools,
               po-debconf,
--- a/debian/patches/CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
+++ b/debian/patches/CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
@ -0,0 +1,34 @@
+Description: CVE-2017-7400: Remove dangerous safestring declaration
+From: Richard Jones <r1chardj0n3s@gmail.com>
+Date: Tue, 7 Mar 2017 05:55:39 +0000 (+1100)
+X-Git-Tag: 10.0.3^2
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fhorizon.git;a=commitdiff_plain;h=511b325b45b6bd7a88bb6df1a4639b80d0121277
+ This declaration allows XSS content through the JSON and
+ is unnecessary for correct rendering of the content anyway.
+Change-Id: I82355b37108609ae573237424e528aab86a24efc
+Bug-Ubuntu: https://bugs.launchpad.net/horizon/+bug/1667086
+Bug-Debian: https://bugs.debian.org/859559
+Origin: https://review.openstack.org/#/c/442454/
+Last-Update: 2017-04-04
+
+diff --git a/openstack_dashboard/dashboards/identity/mappings/tables.py b/openstack_dashboard/dashboards/identity/mappings/tables.py
+index df6e8f3..9c22285 100644
+--- a/openstack_dashboard/dashboards/identity/mappings/tables.py
+++ b/openstack_dashboard/dashboards/identity/mappings/tables.py
+@@ -14,7 +14,6 @@
+ 
+ import json
+ 
+-from django.utils import safestring
+ from django.utils.translation import ugettext_lazy as _
+ from django.utils.translation import ungettext_lazy
+ 
+@@ -75,7 +74,7 @@ def get_rules_as_json(mapping):
+     rules = getattr(mapping, 'rules', None)
+     if rules:
+         rules = json.dumps(rules, indent=4)
+-    return safestring.mark_safe(rules)
+    return rules
+ 
+ 
+ class MappingsTable(tables.DataTable):
--- a/debian/patches/series
+++ b/debian/patches/series
@ -2,3 +2,4 @@ fix-dashboard-django-wsgi.patch
 fix-dashboard-manage.patch
 fixed-horizon-MANIFEST.in.patch
 stores-SECRET_KEY-in-tmp-folder-for-tests.patch
+CVE-2017-7400_Remove_dangerous_safestring_declaration.patch
--- a/debian/po/it.po
+++ b/debian/po/it.po
@ -1,13 +1,13 @@
 # Italian translation of horizon's debconf messages.
-# Copyright (C) 2013, horizon package copyright holder
+# Copyright (C) 2016, horizon package copyright holder
 # This file is distributed under the same license as the horizon package.
-# Beatrice Torracca <beatricet@libero.it>, 2013.
+# Beatrice Torracca <beatricet@libero.it>, 2013, 2016.
 msgid ""
 msgstr ""
 "Project-Id-Version: horizon\n"
 "Report-Msgid-Bugs-To: horizon@packages.debian.org\n"
 "POT-Creation-Date: 2015-09-22 13:31+0000\n"
-"PO-Revision-Date: 2013-10-19 18:48+0200\n"
+"PO-Revision-Date: 2016-08-01 17:05+0200\n"
 "Last-Translator: Beatrice Torracca <beatricet@libero.it>\n"
 "Language-Team: Italian <debian-l10n-italian@lists.debian.org>\n"
 "Language: it\n"
@ -40,6 +40,8 @@ msgid ""
 "If this option is not selected, Horizon will be installed using /horizon "
 "instead of the webroot."
 msgstr ""
+"Se questa opzione non viene selezionata Horizon verrà installato usando /"
+"horizon invece di webroot."

 #. Type: boolean
 #. Description