Hello Alvaro, I am aware of the recent upstream report, and also the CVE entry that was fixed in 2.6.18.
With respect to the latter, when I last talked to Debian's security team years ago on the topic, they were not enthusiastic about bringing the entire 2.6.18 into older Debian releases. As maintainer, it is my position that an attempting to backport of just the security aspect is too difficult to be feasible. It is certainly beyond my ability, especially the testing aspect. Upstream is also not interested in attempting a backport. That stalemate, plus the non-earthshattering nature of the vulnerability led to general inaction. Your choices are to wait a few more years for this concern to fall into the dustbin of history, or if you have the energy ping the Debian security team to see if they have a different disposition these days. With respect to 2.6.19 and/or patching the newest vulnerability, thanks for the problem report, and the reminder. We'll either get a patch in place or upstream should make a release relatively soon. Again, while it is a XSS problem (what isn't?) I don't see this as earth shattering - the vast majority of real-world deployments will not be affected. If you wish to discuss further by private email I am happy to do so. -Jeff -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
