On Thu, 23 Jun 2011 14:41:02 +0200, Tanguy Ortolo wrote:
Following the instructions of the security team, I have recentlyuploaded new versions of my package dokuwiki for stable and oldstable, fixing a flaw in the RPC interface that allows to bypass the ACL system in some very specific cases. I am not sure that you are already aware ofmy upload.
Your last sentence above confuses me slightly. I approved the uploads, and you should have received "ACCEPTED" mails for them from the archive software indicating that they had moved in to the proposed-updates queues; indeed, the upload to stable will be part of Saturday's point release.
Now, another flaw has been discovered some days ago, allowing to insert arbitrary JavaScript links in the following case: a wiki page referencesan RSS feed; this feed contains specially crafted content. These areonly JavaScript links, that require users to click on it, but that can be inserted from an external control over the referenced RSS feed only.This affects both the stable and oldstable version: can I send an updated package, fixing both the ACL and the RSS problems?
"Updated" as in a new revision building on those you previously uploaded; the packages containing the ACL fixes are already in {oldstable-,}proposed-updates, so can't be replaced. Please prepare packages for both stable and oldstable and send the debdiffs to debian-release for approval.
Regards, Adam