[Pkg-nagios-changes] [SCM] Debian packaging of icinga-web branch, wheezy, updated. debian/1.7.1+dfsg1-5-4-ga1ef240
Markus Frosch
markus at lazyfrosch.de
Wed Nov 28 22:21:45 UTC 2012
The following commit has been merged in the wheezy branch:
commit bb01a46442e9efa1c1a97df5b8e66060b64611b2
Author: Markus Frosch <markus at lazyfrosch.de>
Date: Wed Nov 28 22:54:48 2012 +0100
Security fix for a YUI library issue
Two .swf files has been removed from the Debian package
and the Flash supported feature is disable for now.
In addition a upstream patch was applied to allow the user
to use the feature with a newer .swf resource if he wants
to.
See README.Debian
Git-Dch: long
Closes: #694262
diff --git a/debian/README.Debian b/debian/README.Debian
index c41f15f..5d771bc 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -3,6 +3,37 @@ icinga-web for Debian
Notes:
+ * [Security Information]
+ The Yahoo Interface library is used in Icinga Web to render certain
+ pie charts, unfortunatly this causes problems due to a cross site
+ scripting issue.
+
+ The flash component has been removed from Debian and the charting
+ feature is disabled.
+
+ Though a upstream fix is applied to allow the usage - when the user
+ decides to...
+
+ If you want to use the TO charts you have to either download a .swf
+ file to your server or use a swf loaded from yahooapis.com on demand.
+
+ See the file /usr/share/icinga-web/app/modules/AppKit/lib/js/AppKit.js
+ for configuration options.
+
+ Remote files:
+ uncomment the respective lines there and run
+ /usr/lib/icinga-web/bin/clearcache.sh
+
+ Local files:
+ download both files
+ http://yui.yahooapis.com/2.8.2/build/charts/assets/charts.swf
+ http://swfobject.googlecode.com/svn/trunk/swfobject/expressInstall.swf
+
+ and store them in /usr/share/icinga-web/lib/ext3/resources/
+
+ make sure to also change AppKit.js to uncomment the respective lines and
+ run /usr/lib/icinga-web/bin/clearcache.sh
+
* Supported databases are: MySQL and PostgreSQL (by auto configuration)
* PostgreSQL with ident authentication:
@@ -52,5 +83,5 @@ Notes:
To achieve this run this command as root:
/usr/lib/icinga-web/bin/clearcache.sh
- -- Markus Frosch <markus at lazyfrosch.de> Tue, 28 Jun 2012 18:47:58 +0200
+ -- Markus Frosch <markus at lazyfrosch.de> Tue, 27 Nov 2012 16:17:58 +0200
diff --git a/debian/patches/21_yui_chartsswf b/debian/patches/21_yui_chartsswf
new file mode 100644
index 0000000..020a183
--- /dev/null
+++ b/debian/patches/21_yui_chartsswf
@@ -0,0 +1,123 @@
+Description: YUI library security change
+ Security fix for YUI libraries' charts.swf
+ .
+ Making changes to some JS objects to support
+ the security fixed version of charts.swf
+ .
+ This is the port of a upstream fix - the .swf
+ file is no longer included in the debian
+ package and now loaded via the internet.
+Author: Markus Frosch <markus at lazyfrosch.de>
+Origin: backport
+Bug-Icinga: https://dev.icinga.org/issues/3464
+Applied-Upstream: 1.8.1
+Last-Update: 2012-11-27
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/app/modules/AppKit/lib/js/AppKit.js
++++ b/app/modules/AppKit/lib/js/AppKit.js
+@@ -54,7 +54,17 @@
+ var me = AppKit;
+
+ Ext.BLANK_IMAGE_URL = me.c.path + '/images/ajax/s.gif';
+- Ext.chart.Chart.CHART_URL = me.c.path + '/js/ext3/resources/charts.swf';
++ // BEGIN Debian - see /usr/share/doc/icinga-web/README.Debian
++ // disabled external Flash components
++ Ext.chart.Chart.CHART_URL = null;
++ Ext.FlashComponent.EXPRESS_INSTALL_URL = null;
++ // enable the following for local stored files
++ //Ext.chart.Chart.CHART_URL = me.c.path + '/js/ext3/resources/charts.swf';
++ //Ext.FlashComponent.EXPRESS_INSTALL_URL = me.c.path + '/js/ext3/resources/expressinstall.swf';
++ // enable the following for remote stored resources
++ //Ext.chart.Chart.CHART_URL = 'http:/' + '/yui.yahooapis.com/2.8.2/build/charts/assets/charts.swf';
++ //Ext.FlashComponent.EXPRESS_INSTALL_URL = 'http:/' + '/swfobject.googlecode.com/svn/trunk/swfobject/expressInstall.swf';
++ // END Debian
+
+ Ext.QuickTips.init();
+ growlStack();
+@@ -270,4 +280,4 @@
+ }()));
+ })();
+
+-Ext.ns('AppKit.lib', 'AppKit.util');
+\ No newline at end of file
++Ext.ns('AppKit.lib', 'AppKit.util');
+--- /dev/null
++++ b/app/modules/Cronks/lib/js/Ext/ux/FlashComponent.js
+@@ -0,0 +1,59 @@
++// {{{ICINGA_LICENSE_CODE}}}
++// -----------------------------------------------------------------------------
++// This file is part of icinga-web.
++//
++// Copyright (c) 2009-2012 Icinga Developer Team.
++// All rights reserved.
++//
++// icinga-web is free software: you can redistribute it and/or modify
++// it under the terms of the GNU General Public License as published by
++// the Free Software Foundation, either version 3 of the License, or
++// (at your option) any later version.
++//
++// icinga-web is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU General Public License
++// along with icinga-web. If not, see <http://www.gnu.org/licenses/>.
++// -----------------------------------------------------------------------------
++// {{{ICINGA_LICENSE_CODE}}}
++/*global Ext: false, Icinga: false, AppKit: false, _: false, Cronk: false */
++
++(function() {
++ "use strict";
++
++ Ext.ns('Ext.chart', 'YAHOO.widget');
++
++ /**
++ * @class Ext.chart.PieChart
++ * @overrides Ext.chart.PieChart
++ * @namespace Ext.chart
++ * @author Markus Frosch <markus.frosch at netways.de>
++ * @getId
++ */
++ Ext.override(Ext.chart.PieChart, {
++ /*
++ Replacing getId with a new version to give the YUI swf
++ an id that he wants and allows
++ */
++ getId: function() {
++ return this.id || (this.id = "yuiswf" + (++Ext.Component.AUTO_ID));
++ }
++ });
++
++ /**
++ * @class YAHOO.widget.SWF
++ * @extends Ext.FlashEventProxy
++ * @namespace YAHOO.widget
++ * @author Markus Frosch <markus.frosch at netways.de>
++ *
++ * A proxy object to call Ext.FlashEventProxy
++ * from a YUI flash component
++ */
++ YAHOO.widget.SWF = Ext.FlashEventProxy;
++ YAHOO.widget.SWF.eventHandler = function(id, e) {
++ this.onEvent(id, e);
++ };
++}());
+--- a/app/modules/Cronks/config/javascript.xml
++++ b/app/modules/Cronks/config/javascript.xml
+@@ -29,6 +29,7 @@
+ <ae:parameter>%core.module_dir%/Cronks/lib/js/grid/MetaGridCreator.js</ae:parameter>
+ <ae:parameter>%core.module_dir%/Cronks/lib/js/grid/GridUtil.js</ae:parameter>
+ <ae:parameter>%core.module_dir%/Cronks/lib/js/grid/OptimisticPagingToolbar.js</ae:parameter>
++ <ae:parameter>%core.module_dir%/Cronks/lib/js/Ext/ux/FlashComponent.js</ae:parameter>
+ <ae:parameter>%core.root_dir%/lib/ext3/examples/ux/ColumnNodeUI.js</ae:parameter>
+ <ae:parameter>%core.root_dir%/lib/jit/Extras/excanvas.js</ae:parameter>
+ <ae:parameter>%core.root_dir%/lib/jit/jit-yc.js</ae:parameter>
+@@ -80,4 +81,4 @@
+ <ae:parameter>%core.module_dir%/Cronks/lib/js/CronkTrigger.js</ae:parameter>
+ </javascript>
+ </ae:configuration>
+-</ae:configurations>
+\ No newline at end of file
++</ae:configurations>
diff --git a/debian/patches/series b/debian/patches/series
index b8061a3..7a8602a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
10_db_version_fix
20_squishloader_gzip_off
+21_yui_chartsswf
--
Debian packaging of icinga-web
More information about the Pkg-nagios-changes
mailing list