[Secure-testing-team] Re: Bug#335997: flyspray: Multiple XSS
vulnerabilities
Thijs Kinkhorst
kink at squirrelmail.org
Mon Dec 19 15:42:37 UTC 2005
On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote:
> > > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > > Flyspray. Have a look at
> > > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va
> > >riable.html for more details. This has been assigned CVE-2005-3334,
> > > please mention so in the changelog when fixing this.
> afaict the unstable version was not upstream's and was not touched by
> the vulnerability. I've not had the time to check it though.
Since no information was added to this bug report since it was opened, I
have only the changelog, advisory and upstream code to go by. From the
changelog I read that you pulled the fix in question from the upstream
repo. I've tested this code against the vulnerability and it indeed
fixes it. If you believe another fix to be better, please supply a
patch.
> Moreover the current version has some problems that I'd not like to see
> enter testing at all.
Current testing has an RC security bug. If those issues you mention are
also RC, I suggest you document them in the BTS, since I didn't find any
other RC issues in the tracker. If they are not, this version should
progress in order to fix the RC security bug in testing that's absent in
unstable.
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/cdc52bb4/attachment.pgp
More information about the Secure-testing-team
mailing list