On Mon, 2005-12-19 at 16:26 +0100, Pierre Habouzit wrote: > > > Multiple Cross-Site-Scripting vulnerabilties have been found in > > > Flyspray. Have a look at > > > http://lostmon.blogspot.com/2005/10/flyspray-bug-killer-multiple-va > > >riable.html for more details. This has been assigned CVE-2005-3334, > > > please mention so in the changelog when fixing this.
> afaict the unstable version was not upstream's and was not touched by > the vulnerability. I've not had the time to check it though. Since no information was added to this bug report since it was opened, I have only the changelog, advisory and upstream code to go by. From the changelog I read that you pulled the fix in question from the upstream repo. I've tested this code against the vulnerability and it indeed fixes it. If you believe another fix to be better, please supply a patch. > Moreover the current version has some problems that I'd not like to see > enter testing at all. Current testing has an RC security bug. If those issues you mention are also RC, I suggest you document them in the BTS, since I didn't find any other RC issues in the tracker. If they are not, this version should progress in order to fix the RC security bug in testing that's absent in unstable. Thijs
signature.asc
Description: This is a digitally signed message part
