[Secure-testing-team] Re: Bug#335997: flyspray: Multiple XSS vulnerabilities

Pierre Habouzit pierre.habouzit at m4x.org
Mon Dec 19 15:26:31 UTC 2005 

Le Lun 19 Décembre 2005 13:41, Thijs Kinkhorst a écrit :
> close 335997 0.9.8-4
> tags 335997 patch
> thanks
>
> > Multiple Cross-Site-Scripting vulnerabilties have been found in
> > Flyspray. Have a look at
> > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va
> >riable.html for more details. This has been assigned CVE-2005-3334,
> > please mention so in the changelog when fixing this.
>
> This RC bug has been open for >50 days without response from the
> maintainer, so I've taken the liberty to work towards a fix.
>
> For unstable:
> This has already been addressed in the current unstable version by an
> update from the upstream repository in version 0.9.8-4, uploaded by
> the maintainer on 2005-10-26. I'm marking the bug as fixed in that
> version with this mail.
>
> For testing:
> The current unstable version just has to migrate to testing, and that
> will happen soon because I'm now marking the RC bug as fixed in
> 0.9.8-4.
>
> For stable:
> I've extracted the right patch from the unstable version (which has
> been present without any bugreports since the end of October), and
> that is attached. I've also prepared updated packages here:
> http://www.a-eskwadraat.nl/~kink/flyspray/
>
> For oldstable:
> Does not contain flyspray.
>
>
> Bye,
> Thijs


afaict the unstable version was not upstream's and was not touched by 
the vulnerability. I've not had the time to check it though.

Moreover the current version has some problems that I'd not like to see 
enter testing at all.
-- 
·O·  Pierre Habouzit
··O                                                madcoder at debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/7406378b/attachment.pgp

More information about the Secure-testing-team mailing list