Apologies--my previous message included a broken patch from an earlier attempt rather than the current one. Here is what I'm presently using on my sytems:
--- /usr/share/ajaxterm/ajaxterm.js 2009-02-17 13:40:43.000000000 +0000 +++ ajaxterm.js 2009-05-17 20:15:16.000000000 +0000 @@ -3,7 +3,16 @@ var ie=0; if(window.ActiveXObject) ie=1; - var sid=""+Math.round(Math.random()*1000000000); + + // mitigate CVE-2009-1629 + var sid_arr = ( + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" + ).split(""); + var sid = ""; + for (sid_inc = 0 ; sid_inc < 9 ; sid_inc++){ + sid += sid_arr[Math.floor(Math.random()*sid_arr.length)]; + } + var query0="s="+sid+"&w="+width+"&h="+height; var query1=query0+"&c=1&k="; var buf=""; Sorry for the confusion! -- { IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657); SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org); MUD(fu...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); } -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org