Package: debbugs Version: n/a Severity: important Tags: security Hi! Am Samstag, den 01.11.2008, 17:47 +0100 schrieb Moritz Naumann: > I just realized there's a cross site scripting issue on bugs.debian.org, > which you migth like to fix. > > http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=%22%3E%3Cscript%3Ealert(%27Oops.%27)%3C/script%3E%3Cx%20y=%22 Confirmed. > I know it's not your domain, but I'd like to point out that another XSS > and some other issue (which may range from info disclosure to DoS) has > been around on buildd.debian.org for a long time, first reported in Aug > 2007, with reminders sent in June this year, and still unfixed. > > Since, so far, there has apparently not been enough need to fix it, > here's these URLs on a public mailing list now. > > http://buildd.debian.org/build.php?pkg=%3Cscript%3Ealert(0)%3C/script%3E > http://buildd.debian.org/build.php?&pkg=at&arch=%3Cscript%3Ealert(0)%3C/script%3E > > Let me know if you need any help fixing these. Hmm, I'm not too sure if there is a (pseudo) package that this bug could get cloned to for that, best thing propably would be to open a ticket in RT.debian.org about it, but I'm not too sure in which queue? Maybe someone else knows where to address this best these days ... Thanks, Rhonda
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil