Le Lun 19 Décembre 2005 16:42, Thijs Kinkhorst a écrit : > On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote: > > > > Multiple Cross-Site-Scripting vulnerabilties have been found in > > > > Flyspray. Have a look at > > > > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multipl > > > >e-va riable.html for more details. This has been assigned > > > > CVE-2005-3334, please mention so in the changelog when fixing > > > > this. > > > > afaict the unstable version was not upstream's and was not touched > > by the vulnerability. I've not had the time to check it though. > > Since no information was added to this bug report since it was > opened, I have only the changelog, advisory and upstream code to go > by. From the changelog I read that you pulled the fix in question > from the upstream repo. I've tested this code against the > vulnerability and it indeed fixes it. If you believe another fix to > be better, please supply a patch. > > > Moreover the current version has some problems that I'd not like to > > see enter testing at all. > > Current testing has an RC security bug. If those issues you mention > are also RC, I suggest you document them in the BTS, since I didn't > find any other RC issues in the tracker. If they are not, this > version should progress in order to fix the RC security bug in > testing that's absent in unstable.
you are right on the full line, and I just did an upload of what I should have done way earlier and that was almost ready on my computer. thise one fixes a lot of bugs and use the update that upstream released a few day after I fixed the RC bug in a hurry. -6 is the package that will fix all that should be, and it'll enter etch in 10 days from now. thanks for the other valuable patch you sent btw. -- ·O· Pierre Habouzit ··O [EMAIL PROTECTED] OOO http://www.madism.org
pgpVqn4JfLLfx.pgp
Description: PGP signature
