MHonArc 2.6.3 corrects another cross site scripting vulnerability discovered in MHonArc. A XSS demo exploit is publicly announced upstream, but only with a short blurb (as opposed to a detailed advisory) http://www.mhonarc.org/ http://savannah.nongnu.org/bugs/?func=detailbug&bug_id=3128&group_id=1968 Unknown if this affects Debian stable (mhonarc 2.5.2-1.3). I've uploaded 2.6.3 with high priority to Sid. -Jeff PS. Looks like there there are now four addresses on the Debian website for security team contact info. Bit confusing for me figuring out which to use. http://www.debian.org/security/faq#contact A: Security information can be sent to security@debian.org, which is supposed to be read by all Debian developers. If you have sensitive information please use team@security.debian.org which only the members of the security team read. If desired email can be encrypted with the Debian Security Contact key (key ID 0x363CCD95). http://www.debian.org/security/ Please send security-related bug reports to security@debian.org. (Developers may use debian-security and debian-security-private mailing lists in order to inform the security team members of problems in their packages.) -- Jeff Breidenbach <jab@debian.org> Debian Project
Attachment:
signature.asc
Description: This is a digitally signed message part