Hi, On Wed, Feb 09, 2011 at 09:32:48PM +0000, Steve Kemp wrote: > Michael Brooks (Sitewatch) discovered a reflective XSS flaw in > cgiirc, a web based IRC client, which could lead to the execution > of arbitrary javascript. > > For the old-stable distribution (lenny), this problem has been fixed in > version 0.5.9-3lenny1. > > For the stable distribution (squeeze), and unstable distribution (sid), > this problem will be fixed shortly. > > We recommend that you upgrade your cgiirc packages. why wasn't this fixed (e.g. through an NMU) in unstable, too? The announcement doesn't even mention unstable albeit it's the same version. Of course there would be a propagation from stable to testing and unstable if their version is lower at point release time. But if an issue is severe enough to warrant a DSA release, unstable shouldn't be left unfixed, IMO; especially if the point release doesn't happen for quite some time. Kind regards Philipp Kern
Attachment:
signature.asc
Description: Digital signature