[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SRM] Permission to upload mediawiki to stable



On Sat, Dec 18, 2010 at 08:00:39PM +0000, Adam D. Barratt wrote:
> On Sat, 2010-12-18 at 00:28 +0000, Jonathan Wiltshire wrote: 
> > * Fixed CSRF vulnerability in "e-mail me my password",
> >      "create account" and "create by e-mail" features of
> >      [[Special:Userlogin]]. CVE-2010-1648
> >    * Fixed XSS vulnerability affecting IE clients only, due to a CSS
> >      validation issue. CVE-2010-1647 (Closes: #585918)
> 
> The security tracker seems to be somewhat confused here, fwiw -
> http://security-tracker.debian.org/tracker/CVE-2010-164{7,8} both claim
> that the issue was fixed in -2lenny5.

So it does; they certainly weren't fixed though, and I think the confusion
is because of the found versions of the two associated bugs.

(Upstream doesn't really seem to do much in the way of linking bugs, commits,
releases and CVE numbers, so trying to pin this down so long after the
event is a bit like drinking spaghetti.)

I'll upload it shortly.

Cheers,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Attachment: signature.asc
Description: Digital signature


Reply to: