Re: Proposed fixes for potential XSS issues in xapian-omega
On Mon, 2011-09-26 at 02:32 +0100, Olly Betts wrote:
> On Sat, Sep 24, 2011 at 01:26:57PM +0100, Adam D. Barratt wrote:
> > On Thu, 2011-09-15 at 01:51 +1200, Olly Betts wrote:
> > > I've discussed these with the security team, and they decided it was most
> > > appropriate to handle them via a stable update. I've attached a debdiff
> > > showing the changes I'm proposing.
> > Apologies for the slight delay in getting back to you. For future
> > reference, a usertagged bug is generally easier for us to keep track of
> > and less likely to get lost in the (periodic) noise on the list.
> OK, I'll do that in future.
> FWIW, the dev ref just says to email the list, so perhaps needs updating
> if a usertagged bug is how the release team now prefers this to be done:
Yep, it's on my to-do list (somewhere).
> > > All these changes have been in upstream releases since 1.2.5 (released
> > > 2011-04-04) with no reports of any issues.
> > Please go ahead; thanks.
> I took that as implied permission to make the same changes to oldstable
> too, but in the process of applying them I noticed a couple of places
> which had been missed. Neither is going to be easy to exploit, but I
> think it is worth patching these too while we're at it. I've attached a
> patch showing just the two extra fixes for clarity. I've tested these
> to make sure they work as intended.
> Is it OK to include these too?
Yes, those look fine; thanks.
An upload for oldstable would also be okay. (Note that the upload
window for next weekend's oldstable point release closed last night, so
an upload in the meantime will sit in the o-p-u-NEW queue until after
the point release).