Re: XSS in paste 1.7.1-1 and 1.7.3.1-1
Hi,
On Mon, August 2, 2010 16:48, Piotr Ożarowski wrote:
> Could someone take a look at paste in stable-proposed-updates?
I thought I'd mailed you after spotting the package in p-u; it would
appear I was mistaken - sorry about that.
> (sorry for not sending this mail to -release earlier, I was convinced
> that uploading to stable/stable-proposed-updated is enough now, I
> probably misread one of the mails on -release)
Sending an e-mail is definitely preferred; doing so before uploading
rather than vice versa even more so.
>> what it fixes:
>> URLs like "http://foo.pl/-->%0D<script>alert('xss')</script>"
>> will no longer generate error pages where JavaScript can be executed
Have you discussed with the security team whether this is something they
believe a DSA should be issued for?
Regards,
Adam
Reply to: