[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-2158-1] cgiirc security update


On Wed, Feb 09, 2011 at 09:32:48PM +0000, Steve Kemp wrote:
> Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
> cgiirc, a web based IRC client, which could lead to the execution
> of arbitrary javascript.
> For the old-stable distribution (lenny), this problem has been fixed in
> version 0.5.9-3lenny1.
> For the stable distribution (squeeze), and unstable distribution (sid),
> this problem will be fixed shortly.
> We recommend that you upgrade your cgiirc packages.

why wasn't this fixed (e.g. through an NMU) in unstable, too?  The
announcement doesn't even mention unstable albeit it's the same version.

Of course there would be a propagation from stable to testing and
unstable if their version is lower at point release time.  But if an
issue is severe enough to warrant a DSA release, unstable shouldn't be
left unfixed, IMO; especially if the point release doesn't happen
for quite some time.

Kind regards
Philipp Kern 

Attachment: signature.asc
Description: Digital signature

Reply to: