Bug#929228: Bug#959231: security-tracker: Proxy Error on CVE-2020-11565 tracker page
Hi Florian,
On Fri, May 01, 2020 at 04:01:39PM +0200, Florian Weimer wrote:
> * Salvatore Bonaccorso:
>
> > Hi Florian,
> >
> > On Fri, May 01, 2020 at 02:33:21PM +0200, Florian Weimer wrote:
> >> * Salvatore Bonaccorso:
> >>
> >> > Hi Florian,
> >> >
> >> > On Fri, May 01, 2020 at 02:11:50PM +0200, Florian Weimer wrote:
> >> >> * Florian Weimer:
> >> >>
> >> >> > * Francesco Poli:
> >> >> >
> >> >> >> Please note that the CVE is mentioned in [DSA-4667-1].
> >> >> >>
> >> >> >> [DSA-4667-1]: <https://lists.debian.org/debian-security-announce/2020/msg00071.html>
> >> >> >>
> >> >> >> What's wrong with that tracker page?
> >> >> >
> >> >> > It's something in the NVD data that breaks the HTML escaping.
> >> >>
> >> >> This patch adds basic Unicode support to the web framework. I'm not
> >> >> sure if it is the right direction to move in, but it fixes the issue.
> >> >>
> >> >> An alternative fix would be to change the NVD importer not to put
> >> >> Unicode strings into the database, by encoding them as byte strings
> >> >> first.
> >> >
> >> > Do you want to deploy that or rather investigate an alternative?
> >>
> >> I'd appreciate if you could spot-check the changes (e.g., do we still
> >> do HTML escaping properly?) and deploy it. It looks like I have
> >> forgotten how to do it.
> >
> > Looks good to me, and yes can deploy it if you want me to. Please have
> > a look at at attache git format-patch'ed version if you agree with the
> > slight rewrite, since I do not want to commit something in your name
> > you would not agree with).
>
> Still looks fine.
>
> Signed-off-by: Florian Weimer <fw@deneb.enyo.de>
Thanks, applied and deployed.
Regards,
Salvatore
Reply to: