[Secure-testing-team] Re: Bug#335997: flyspray: Multiple XSS vulnerabilities

Pierre Habouzit pierre.habouzit at m4x.org
Mon Dec 19 15:47:50 UTC 2005 

Le Lun 19 Décembre 2005 16:42, Thijs Kinkhorst a écrit :
> On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote:
> > > > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > > > Flyspray. Have a look at
> > > > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multipl
> > > >e-va riable.html for more details. This has been assigned
> > > > CVE-2005-3334, please mention so in the changelog when fixing
> > > > this.
> >
> > afaict the unstable version was not upstream's and was not touched
> > by the vulnerability. I've not had the time to check it though.
>
> Since no information was added to this bug report since it was
> opened, I have only the changelog, advisory and upstream code to go
> by. From the changelog I read that you pulled the fix in question
> from the upstream repo. I've tested this code against the
> vulnerability and it indeed fixes it. If you believe another fix to
> be better, please supply a patch.
>
> > Moreover the current version has some problems that I'd not like to
> > see enter testing at all.
>
> Current testing has an RC security bug. If those issues you mention
> are also RC, I suggest you document them in the BTS, since I didn't
> find any other RC issues in the tracker. If they are not, this
> version should progress in order to fix the RC security bug in
> testing that's absent in unstable.

you are right on the full line, and I just did an upload of what I 
should have done way earlier and that was almost ready on my computer.

thise one fixes a lot of bugs and use the update that upstream released 
a few day after I fixed the RC bug in a hurry.

-6 is the package that will fix all that should be, and it'll enter etch 
in 10 days from now.

thanks for the other valuable patch you sent btw.
-- 
·O·  Pierre Habouzit
··O                                                madcoder at debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/2b0e16d3/attachment.pgp

More information about the Secure-testing-team mailing list