[PATCH] docs: Add a release note for CVE-2019-13122
Daniel Axtens
dja at axtens.net
Fri Jul 5 16:45:55 AEST 2019
Applied to master and stable/2.1, stable/2.0 and included in the
releases.
Regards,
Daniel
Daniel Axtens <dja at axtens.net> writes:
> Signed-off-by: Daniel Axtens <dja at axtens.net>
> ---
> .../notes/CVE-2019-13122-e9c63aa346ed15c2.yaml | 11 +++++++++++
> 1 file changed, 11 insertions(+)
> create mode 100644 releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
>
> diff --git a/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
> new file mode 100644
> index 000000000000..48afac0509bb
> --- /dev/null
> +++ b/releasenotes/notes/CVE-2019-13122-e9c63aa346ed15c2.yaml
> @@ -0,0 +1,11 @@
> +---
> +fixes:
> + - |
> + CVE-2019-13122 has been fixed. Andrew Donnellan discovered an XSS
> + via the message-id field. A malicious user could send a patch with
> + a message ID that included a script tag. Because of the quirks of
> + the email RFCs, such a message ID can survive being sent through
> + many mail systems, including Gmail, and be parsed and stored by
> + Patchwork. When a user viewed a patch detail page for the patch
> + with this message id, the script would be run. This is fixed by
> + properly escaping the field before it is rendered.
> \ No newline at end of file
> --
> 2.20.1
More information about the Patchwork
mailing list