docs: Add a release note for CVE-2019-13122

Message ID	20190705063813.31701-1-dja@axtens.net
State	Accepted
Headers	show Return-Path: <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Daniel Axtens <dja@axtens.net> To: patchwork@lists.ozlabs.org Subject: [PATCH] docs: Add a release note for CVE-2019-13122 Date: Fri, 5 Jul 2019 16:38:13 +1000 Message-Id: <20190705063813.31701-1-dja@axtens.net> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	docs: Add a release note for CVE-2019-13122 \| expand docs: Add a release note for CVE-2019-13122

Message ID

20190705063813.31701-1-dja@axtens.net

State

Accepted

Headers

From: Daniel Axtens <dja@axtens.net>
To: patchwork@lists.ozlabs.org
Subject: [PATCH] docs: Add a release note for CVE-2019-13122
Date: Fri,  5 Jul 2019 16:38:13 +1000
Message-Id: <20190705063813.31701-1-dja@axtens.net>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
	<patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

docs: Add a release note for CVE-2019-13122 | expand

Signed-off-by: Daniel Axtens <dja@axtens.net> --- .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml

Comments

Daniel Axtens July 5, 2019, 6:45 a.m. UTC | #1

Applied to master and stable/2.1, stable/2.0 and included in the
releases.

Regards,
Daniel

Daniel Axtens <dja@axtens.net> writes:

> Signed-off-by: Daniel Axtens <dja@axtens.net>
> ---
>  .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml        | 11 +++++++++++
>  1 file changed, 11 insertions(+)
>  create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
>
> diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
> new file mode 100644
> index 000000000000..48afac0509bb
> --- /dev/null
> +++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
> @@ -0,0 +1,11 @@
> +---
> +fixes:
> +  - |
> +    CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
> +    via the message-id field. A malicious user could send a patch with
> +    a message ID that included a script tag. Because of the quirks of
> +    the email RFCs, such a message ID can survive being sent through
> +    many mail systems, including Gmail, and be parsed and stored by
> +    Patchwork. When a user viewed a patch detail page for the patch
> +    with this message id, the script would be run. This is fixed by
> +    properly escaping the field before it is rendered.
> \ No newline at end of file
> -- 
> 2.20.1

diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
new file mode 100644
index 000000000000..48afac0509bb
--- /dev/null
+++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
@@ -0,0 +1,11 @@ 
+---
+fixes:
+  - |
+    CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
+    via the message-id field. A malicious user could send a patch with
+    a message ID that included a script tag. Because of the quirks of
+    the email RFCs, such a message ID can survive being sent through
+    many mail systems, including Gmail, and be parsed and stored by
+    Patchwork. When a user viewed a patch detail page for the patch
+    with this message id, the script would be run. This is fixed by
+    properly escaping the field before it is rendered.
\ No newline at end of file

docs: Add a release note for CVE-2019-13122

Commit Message

Comments

Patch