Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042

To: Brian May <bam@debian.org>, debian-lts@lists.debian.org
Subject: Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Sun, 02 Sep 2018 09:42:04 -0400
Message-id: <[🔎] 87r2icvwwj.fsf@curie.anarc.at>
In-reply-to: <[🔎] 87mut01ina.fsf@silverfish.pri>
References: <87o9ednwdj.fsf@silverfish.pri> <87lg8rbx1j.fsf@curie.anarc.at> <87tvnd3o79.fsf@silverfish.pri> <87a7p2xrk5.fsf@curie.anarc.at> <[🔎] 87mut01ina.fsf@silverfish.pri>

On 2018-09-02 17:08:09, Brian May wrote:
> Antoine Beaupré <anarcat@orangeseeds.org> writes:
>
>> What do you think? Should we push this forward?
>
> I am somewhat concerned that by fixing this we might be breaking
> something. Even if it is 100% broken behaviour, maybe some application
> depends on this?
>
> Is the potential attack bad enough to justify potential breakage? I am
> not absolutely convinced.

Well there *are* probably some XSS left. The solution would be similar
to the one I did in the DLA with little or no breakage.

A.

-- 
The class which has the power to rob upon a large scale has also the
power to control the government and legalize their robbery.
                        - Eugene V. Debs

Reply to:

References:
- Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042
  - From: Brian May <bam@debian.org>

Prev by Date: Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042
Next by Date: Security update of polarssl/mbedtls?
Previous by thread: Re: twitter-bootstrap / CVE-2018-14040 / CVE-2018-14041 / CVE-2018-14042
Next by thread: Security update of polarssl/mbedtls?
Index(es):
- Date
- Thread