On Mon, Sep 11, 2017 at 03:21:08AM +0000, Craig Small wrote: > On Wed, 6 Sep. 2017, 07:03 Dominic Hargreaves <d...@earth.li> wrote: > > > I have just become aware of an old security issue that was fixed > > in upstream: > > > > > > https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f5 > > 6e2fd19188e7c26a > > <https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a> > > > > > > Given that noone has noticed and reported this as an issue for a year > > in the Debian package, and I'm not completely sure of how easy it is > > to exploit, I'm not exactly sure of the correct severity or whether > > this warrants a DSA or just a point release update. I'm CCing > > the Wordpress maintainer in case they have any ideas. > > > > This bug will be fixed in unstable shortly. > > > Hi, > Probably a security team question but the un-patched plugin permits a XSS > attack so it should be a DSA I think.
I'm just confirming the status of the bug in 1.4 with the upstream maintainer prior to a fix. Also looping in the security team. Cheers, Dominic.
