[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#856240: marked as done (jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2+deb8u1)

Your message dated Sat, 09 Dec 2017 10:47:53 +0000
with message-id <1512816473.1994.32.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in jessie point release
has caused the Debian Bug report #856240,
regarding jessie-pu: package elog/2.9.2+2014.05.11git44800a7-2+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
856240: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856240
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Update closes bug https://bugs.debian.org/851909 which allows no login except
admin user.

-- System Information:
Debian Release: 8.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/changelog elog-2.9.2+2014.05.11git44800a7/debian/changelog
--- elog-2.9.2+2014.05.11git44800a7/debian/changelog	2016-09-17 23:32:15.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/changelog	2017-02-12 20:20:33.000000000 +0100
@@ -1,3 +1,10 @@
+elog (2.9.2+2014.05.11git44800a7-2+deb8u2) jessie; urgency=medium
+
+  * update patch 0005_elogd_CVE-2016-6342_fix to grant access
+    to logbooks also as normal login user (Closes: #851909)
+
+ -- Roger Kalt <roger.kalt@gmail.com>  Thu, 19 Jan 2017 22:45:52 +0100
+
 elog (2.9.2+2014.05.11git44800a7-2+deb8u1) jessie; urgency=medium
 
   * Added patch 0005_elogd_CVE-2016-6342_fix to fix posting entry as
diff -Nru elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix
--- elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix	2016-09-03 22:12:44.000000000 +0200
+++ elog-2.9.2+2014.05.11git44800a7/debian/patches/0005_elogd_CVE-2016-6342_fix	2017-02-02 21:28:38.000000000 +0100
@@ -42,7 +42,7 @@
  
     if (lbs->top_group[0] && (!top_group || strieq(top_group, "global"))) {
 -      if (is_admin_user("global", getparam("unm"))) {
-+      if (is_admin_user(lbs, getparam("unm"))) {
++      if (is_admin_user(NULL, getparam("unm"))) {
           if (lbs->top_group[0]) {
  
              sprintf(str, "global %s", lbs->top_group);
@@ -51,7 +51,7 @@
  
     if (is_group("global") && !strieq(top_group, "global")) {
 -      if (is_admin_user("global", getparam("unm"))) {
-+      if (is_admin_user(lbs, getparam("unm"))) {
++      if (is_admin_user(NULL, getparam("unm"))) {
           rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Delete this logbook"));
           rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Rename this logbook"));
           rsprintf("<input type=submit name=cmd value=\"%s\">\n", loc("Create new logbook"));
@@ -139,7 +139,7 @@
              strcat(menu_str, "GetPwdFile, ");
  
 -            if (is_admin_user("global", getparam("unm"))) {
-+            if (is_admin_user(lbs, getparam("unm"))) {
++            if (is_admin_user(NULL, getparam("unm"))) {
  
                 if (lbs->top_group[0]) {
                    sprintf(str, "Change [global %s]", lbs->top_group);
@@ -175,7 +175,7 @@
           strcat(menu_str, "GetPwdFile, ");
  
 -         if (is_admin_user("global", getparam("unm"))) {
-+         if (is_admin_user(lbs, getparam("unm"))) {
++         if (is_admin_user(NULL, getparam("unm"))) {
  
              if (lbs->top_group[0]) {
                 sprintf(str, "Change [global %s]", lbs->top_group);
@@ -276,17 +276,7 @@
     
     getcfg(lbs->name, "Password file", str, sizeof(str));
  
-@@ -25438,16 +25455,27 @@
-       if (i == n)
-          return FALSE;
-    }
-+
-+   /* make sure user is logged in */
-+   if (!logged_in(lbs))
-+      return FALSE;
-+
-    return TRUE;
- }
+@@ -25443,11 +25460,17 @@
  
  /*------------------------------------------------------------------*/
  
@@ -305,18 +295,18 @@
  
     /* Removed user[0] for cloning, have to check implications, same below.
        if (getcfg(logbook, "Admin user", str, sizeof(str)) && user[0]) { */
-@@ -25464,6 +25492,10 @@
+@@ -25464,6 +25487,10 @@
        if (i == n)
           return FALSE;
     }
 +   /* make sure user is logged in */
-+   if (!logged_in(lbs))
++   if (lbs && !logged_in(lbs))
 +      return FALSE;
 +   
     return TRUE;
  }
  
-@@ -25487,6 +25519,7 @@
+@@ -25487,6 +25514,7 @@
        if (i == n)
           return FALSE;
     }
@@ -324,6 +314,15 @@
     return TRUE;
  }
  
+@@ -25988,7 +26016,7 @@
+    if (getcfg("global", "mirror server", str, sizeof(str))) {
+ 
+       /* only admin user sees synchronization link */
+-      if (is_admin_user("global", getparam("unm"))) {
++      if (is_admin_user(NULL, getparam("unm"))) {
+          rsprintf("<tr>\n");
+          rsprintf("<td colspan=13 class=\"seltitle\">\n");
+          rsprintf("<a href=\"?cmd=Synchronize\">%s</a></td>\n", loc("Synchronize all logbooks"));
 --- a/src/elogd.h
 +++ b/src/elogd.h
 @@ -292,7 +292,7 @@

--- End Message ---
--- Begin Message --- 
Version: 8.10

Hi,

Each of the updates referenced in these bugs was included in this
morning's jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: