On Wed, Jun 10, 2015 at 10:42 AM, Salvatore Bonaccorso <[email protected]> wrote: > On Wed, Jun 10, 2015 at 09:10:56AM +0200, László Böszörményi (GCS) wrote: >> Just checked. The Wheezy version doesn't contain the vulnerable code >> segment, but the Jessie version does. Mark the bug accordingly. >> In case you may accept, I attach a debdiff for Jessie. > > Thanks for the quick followups. Am I right that jessie though is not > affected due to > https://bugs.launchpad.net/horizon/+bug/1453074/comments/13 > > The field help_text is always escaped already. > > Is that right? I think the correct answer would be 'it depends'. If you check the presentation layer when that text used as-is, then yes, it's escaped there already. On the other hand that text may be used in the code for addition to other variables that may not be escaped for the presentation tier. Then the user may have customized his/her installation that use the mentioned text without escaping. Last but not least some plugin or other software may also use that text without filtering. If I think these cases then OpenStack may be vulnerable in other places that can be harder (but not impossible) to take advantage of this CVE. In short, the comment you mention emphasize this: "Juno - ASSUME that help text is always safe:" (ie, not 100% sure). That can be the reason upstream has an update for Juno which was merged[1]: Branch stable/juno Status Merged
I say it's better to be more safe and may escape that string twice than have a risk of a vulnerability remain in some use cases. But of course, you are in the position to choose if a DSA is issued or not. Cheers, Laszlo/GCS [1] https://review.openstack.org/#/c/189821/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

