On Sat, Dec 18, 2010 at 08:00:39PM +0000, Adam D. Barratt wrote:
> On Sat, 2010-12-18 at 00:28 +0000, Jonathan Wiltshire wrote:
> > * Fixed CSRF vulnerability in "e-mail me my password",
> > "create account" and "create by e-mail" features of
> > [[Special:Userlogin]]. CVE-2010-1648
> > * Fixed XSS vulnerability affecting IE clients only, due to a CSS
> > validation issue. CVE-2010-1647 (Closes: #585918)
>
> The security tracker seems to be somewhat confused here, fwiw -
> http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
> that the issue was fixed in -2lenny5.
So it does; they certainly weren't fixed though, and I think the confusion
is because of the found versions of the two associated bugs.
(Upstream doesn't really seem to do much in the way of linking bugs, commits,
releases and CVE numbers, so trying to pin this down so long after the
event is a bit like drinking spaghetti.)
I'll upload it shortly.
Cheers,
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Attachment:
signature.asc
Description: Digital signature