On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote: > Hi, > > On Wed, Feb 09, 2011 at 09:32:48PM +0000, Steve Kemp wrote: > > Michael Brooks (Sitewatch) discovered a reflective XSS flaw in > > cgiirc, a web based IRC client, which could lead to the execution > > of arbitrary javascript. > > > > For the old-stable distribution (lenny), this problem has been fixed in > > version 0.5.9-3lenny1. > > > > For the stable distribution (squeeze), and unstable distribution (sid), > > this problem will be fixed shortly. > > > > We recommend that you upgrade your cgiirc packages. > > why wasn't this fixed (e.g. through an NMU) in unstable, too? The > announcement doesn't even mention unstable albeit it's the same version. Updating packages in unstable is in Debian the primary responsibility of the package maintainer. The security team tries to address issues in stable, oldstable and, in second instance, testing; unstable is addressed mostly as a way to ensure the issue is eventually fixed in testing. I understand your concern about unstable, but I would advise that you do not use unstable for critical systems, and our FAQ advises that too: http://www.debian.org/security/faq#unstable In the ideal world all suites are fixed simultaneously, and many times in the case of MIA maintainers unstable is also fixed by a member of the (testing) security team, mostly with an eye to fix testing via migration. So the security situation of unstable is mostly very decent. However, of all suites unstable obviously is not the priority. We use the security tracker to ensure that we know which packages still need fixing in testing. > especially if the point release doesn't happen for quite some time. It was probably not a consideration in this case, but the next point release is scheduled within a week or two. Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part.