Hi, On 17/12/2012 18:21, Jonathan Wiltshire wrote: > Security team: is it too late to get a CVE through you now that a public > bug has been filed? And should a DSA be prepared, as I have not looked > but can be fairly sure this will affect stable.
yes, if it is public, we cannot assign a CVE. you can ask cve-ass...@mitre.org to request one. >>> The window of opportunity is small but the impact could be significant >>> (drive-by downloads, session theft, XSS etc). >> >> Actually, it’s not small. > > Ok, what I really meant was that you'd have to know someone is using > Mediawiki to read your feed, which is probably feasible but I can't > imagine there are thousands of people doing so. We don't really know > either way, we should probably play it cautious. I agree, this issue doesn't warrant a DSA, but you could still fix it through a point update: http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Cheers, Giuseppe.
signature.asc
Description: OpenPGP digital signature