Ubuntu
paste package

Sync paste 1.7.4-1 (main) from Debian unstable (main)

Bug #634062 reported by Gediminas Paulauskas
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
paste (Ubuntu)
Fix Released
High
Unassigned
Maverick
Fix Released
High
Unassigned

Bug Description

Please sync paste 1.7.4-1 (main) from Debian unstable (main)

Changelog entries since current maverick version 1.7.3.1-1:

paste (1.7.4-1) unstable; urgency=high

  * New upstream release - fixes XSS bug (security issue) with not found
    handlers for paste.urlparser.StaticURLParser and paste.urlmap.URLMap

 -- Piotr Ożarowski <email address hidden> Fri, 25 Jun 2010 20:30:19 +0200

Gediminas Paulauskas (menesis)
Changed in paste (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Gediminas Paulauskas (menesis) wrote :

Since this solves a security issue, setting importance to High and subscribing release team.

Changed in paste (Ubuntu):
status: New → Confirmed
importance: Wishlist → High
Revision history for this message
Steve Beattie (sbeattie) wrote :

The upstream release includes a bunch of documentation changes (mostly version bumps) and some trailing whitespace changes; once those are filtered out, the actual code changes look small and reasonable. An additional call to cgi.escape has been added as well as code to escape injected comment closing code. Also, the cleanup with the missing desired_matches() function seems useful.

Attached is the filtered diff that I used to review.

Revision history for this message
Piotr Ożarowski (piotr) wrote :

if you want just the fix, take a look at Debian stable

Revision history for this message
Scott Kitterman (kitterman) wrote :

Should be fine to go in as a sync. Approved.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

[Updating] paste (1.7.3.1-1 [Ubuntu] < 1.7.4-1 [Debian])
 * Trying to add paste...
2010-09-24 20:18:24 INFO - <paste_1.7.4-1.dsc: downloading from http://ftp.debian.org/debian/>
2010-09-24 20:18:24 INFO - <paste_1.7.4.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-09-24 20:18:25 INFO - <paste_1.7.4-1.diff.gz: downloading from http://ftp.debian.org/debian/>
I: paste [main] -> python-paste_1.7.3.1-1 [main].

Changed in paste (Ubuntu Maverick):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.