[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-2158-1] cgiirc security update

On Wednesday 23 February 2011 10:12:08 Philipp Kern wrote:
> Hi,
> On Wed, Feb 09, 2011 at 09:32:48PM +0000, Steve Kemp wrote:
> > Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
> > cgiirc, a web based IRC client, which could lead to the execution
> > of arbitrary javascript.
> > 
> > For the old-stable distribution (lenny), this problem has been fixed in
> > version 0.5.9-3lenny1.
> > 
> > For the stable distribution (squeeze), and unstable distribution (sid),
> > this problem will be fixed shortly.
> > 
> > We recommend that you upgrade your cgiirc packages.
> why wasn't this fixed (e.g. through an NMU) in unstable, too?  The
> announcement doesn't even mention unstable albeit it's the same version.

Updating packages in unstable is in Debian the primary responsibility of the 
package maintainer. The security team tries to address issues in stable, 
oldstable and, in second instance, testing; unstable is addressed mostly as a 
way to ensure the issue is eventually fixed in testing.

I understand your concern about unstable, but I would advise that you do not 
use unstable for critical systems, and our FAQ advises that too: 

In the ideal world all suites are fixed simultaneously, and many times in the 
case of MIA maintainers unstable is also fixed by a member of the (testing) 
security team, mostly with an eye to fix testing via migration. So the 
security situation of unstable is mostly very decent. However, of all suites 
unstable obviously is not the priority.

We use the security tracker to ensure that we know which packages still need 
fixing in testing.

> especially if the point release doesn't happen for quite some time.

It was probably not a consideration in this case, but the next point release 
is scheduled within a week or two.


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: