On Tue, 1 Dec 2009 14:23:30 +0100, Thomas Koch wrote: > So it was a mistake that the bug has been closed in the changelog. > > But I've explained before, that this bug is not a security issue with YUI or > any other JS library, but an issue of web applications vulnerable to XSS > attacks. > I therefor suggest that this bug should be closed. Is there any other idea on > how to proceed?
as can be concluded by reading the pdf, this indeed is a security flaw and is exposed due to the implementation/design of the javascript frameworks studied. since the flaw resides in the frameworks themselves, the only logical conclusion is that the fixes should be applied there as well. if you need help in this endeavor, i recommend collaborating with your upstream (who should have the appropriate knowledge/capability), or failing that, you can make a request for help from the security team; however, their time is limited and usually devoted to more important issues than this one. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org