[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page



* Salvatore Bonaccorso:

> Hi Florian,
>
> On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote:
>> * Florian Weimer:
>> 
>> > * Francesco Poli:
>> >
>> >> Please note that the CVE is mentioned in [DSA-4667-1].
>> >>
>> >> [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html>
>> >>
>> >> What's wrong with that tracker page?
>> >
>> > It's something in the NVD data that breaks the HTML escaping.
>> 
>> This patch adds basic Unicode support to the web framework.  I'm not
>> sure if it is the right direction to move in, but it fixes the issue.
>> 
>> An alternative fix would be to change the NVD importer not to put
>> Unicode strings into the database, by encoding them as byte strings
>> first.
>
> Do you want to deploy that or rather investigate an alternative?

I'd appreciate if you could spot-check the changes (e.g., do we still
do HTML escaping properly?) and deploy it.  It looks like I have
forgotten how to do it.


Reply to: