Re: XSS in paste 1.7.1-1 and 1.7.3.1-1

To: piotr@debian.org
Cc: debian-release@lists.debian.org
Subject: Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Mon, 2 Aug 2010 18:15:18 -0400
Message-id: <[🔎] a6207a0c0e722af1800230d51cedeb36.squirrel@adsl.funkybadger.org>
In-reply-to: <[🔎] 20100802204800.GJ20968@piotro.eu>
References: <20100625222534.GA3730@piotro.eu> <[🔎] 20100802204800.GJ20968@piotro.eu>

Hi,

On Mon, August 2, 2010 16:48, Piotr O&#380;arowski wrote:
> Could someone take a look at paste in stable-proposed-updates?

I thought I'd mailed you after spotting the package in p-u; it would
appear I was mistaken - sorry about that.

> (sorry for not sending this mail to -release earlier, I was convinced
> that uploading to stable/stable-proposed-updated is enough now, I
> probably misread one of the mails on -release)

Sending an e-mail is definitely preferred; doing so before uploading
rather than vice versa even more so.

>> what it fixes:
>>  URLs like "http://foo.pl/-->%0D<script>alert('xss')</script>"
>>  will no longer generate error pages where JavaScript can be executed

Have you discussed with the security team whether this is something they
believe a DSA should be issued for?

Regards,

Adam

Reply to:

Follow-Ups:
- Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
  - From: Piotr Ożarowski <piotr@debian.org>

References:
- Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
  - From: Piotr Ożarowski <piotr@debian.org>

Prev by Date: Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
Next by Date: Bug#589689: transition to libjack-jackd2-0 breaks many packages
Previous by thread: Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
Next by thread: Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
Index(es):
- Date
- Thread