* Salvatore Bonaccorso: > Hi Florian, > > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote: >> * Florian Weimer: >> >> > * Francesco Poli: >> > >> >> Please note that the CVE is mentioned in [DSA-4667-1]. >> >> >> >> [DSA-4667-1]: >> >> <https://lists.debian.org/debian-security-announce/2020/msg00071.html> >> >> >> >> What's wrong with that tracker page? >> > >> > It's something in the NVD data that breaks the HTML escaping. >> >> This patch adds basic Unicode support to the web framework. I'm not >> sure if it is the right direction to move in, but it fixes the issue. >> >> An alternative fix would be to change the NVD importer not to put >> Unicode strings into the database, by encoding them as byte strings >> first. > > Do you want to deploy that or rather investigate an alternative?
I'd appreciate if you could spot-check the changes (e.g., do we still do HTML escaping properly?) and deploy it. It looks like I have forgotten how to do it.
