Need some more information about the #272620 bug

Alexis Sukrieh sukria at
Fri Jan 7 18:26:33 UTC 2005

* David Miller (justdave at disait :
> The bug is not exploitable unless you're using Internet Explorer or 
> Konqueror as the browser (maybe others, but those are the only two we 
> tested that we could duplicate it in).  If you're using most other 
> browsers, the browser will prevent the unescaped URL from being used.

Indeed, I do know that and I've performed my tests with Windows IE 6.

> >We actually provide the 2.16.7 release.
> I notice Debian Stable still lists version 2.14.2.  A quick examination 
> shows the content of the package is actually version 2.14.5, and the 
> version number wasn't bumped (all of the patches from the 2.14 branch 
> since 2.14.2 were applied by the diff.gz file as "backported patches" 
> except those were the only changes between those versions anyway).
> Version 2.14.x is NOT vulnerable to this particular issue.  The 
> javascript in question was added somewhere during the 2.15 development 
> cycle.  However, there have been several security issues since then that 
> have not been fixed in the 2.14 branch (because upstream support for it 
> was dropped two years ago), nor do I see patches for them included in 
> the existing Debian package, so the package in Woody shouldn't be 
> considered safe.

Ok, thanks for that note. 

The problem is that patches for woody must be
only security fixes, so is there a way to apply only the security
patches to make our 2.14 release safe ? 

I'm pretty sure the woody issue is quite sofisticated to solve, moreover
when we know that sarge will fix all that with providing a safe version... 

Any advices are really welcome as I'm just starting to maintain the
Bugzilla Debian package, feel free to give me comments and advices then

                                  Alexis Sukrieh <sukria at>

« Quidquid latine dictum sit, altum sonatur. » 
Whatever is said in Latin sounds profound.

More information about the developers mailing list