Re: dla-needed.txt: Add note on CVE-2020-1769 in otrs2.
Chris,
On 29/04/20 4:28 am, Chris Lamb wrote:
> Abhijith,
>
>>> otrs2
>>> NOTE: 20200412: Asked upstream for clarity in CVE-2020-1769 patch (abhijith)
>>> + NOTE: 20200427: Cannot find the above comment on the various commits/PRs, nor
>>> + NOTE: 20200427: on the -dev mailing list. I suspect its entirely safe to
>>
>> I sent mail directly to the committer.
>
> Thanks for clarifying. If so, please could you add a clarifying note
> to dla-needed.txt? I suppose the rough principle here would be to
> collect all relevant info so that in the case that someone needs to
> take up your work they can do so with minimal duplicated effort.
Sure I will follow that.
>> Isn't autocomplete more of a browser dependent thing. I disabled
>> autocomplete (without the switches) and tested in firefox but it didn't
>> work.
>
> Indeed. For example, in Firefox:
>
> We intentionally ignore autocomplete=off for password forms. We
> believe giving users the option to save their passwords will result
> in better security than if users use the same simple password on all
> sites because otherwise they can't remember them.
>
> -- https://bugzilla.mozilla.org/show_bug.cgi?id=1353035#c2
>
> Regardless and unrelated to the merits of this argument, I am now more
> and more inclined to believe this is a no-dsa issue.
I also believe it is a no-dsa and going to mark as no-dsa. But it would
be better if it get some more clarity from upstream.
--abhijith
Reply to: