Need some more information about the #272620 bug
Alexis Sukrieh
sukria at sukria.net
Fri Jan 7 18:26:33 UTC 2005
* David Miller (justdave at bugzilla.org) disait :
> The bug is not exploitable unless you're using Internet Explorer or
> Konqueror as the browser (maybe others, but those are the only two we
> tested that we could duplicate it in). If you're using most other
> browsers, the browser will prevent the unescaped URL from being used.
Indeed, I do know that and I've performed my tests with Windows IE 6.
> >We actually provide the 2.16.7 release.
>
> I notice Debian Stable still lists version 2.14.2. A quick examination
> shows the content of the package is actually version 2.14.5, and the
> version number wasn't bumped (all of the patches from the 2.14 branch
> since 2.14.2 were applied by the diff.gz file as "backported patches"
> except those were the only changes between those versions anyway).
>
> Version 2.14.x is NOT vulnerable to this particular issue. The
> javascript in question was added somewhere during the 2.15 development
> cycle. However, there have been several security issues since then that
> have not been fixed in the 2.14 branch (because upstream support for it
> was dropped two years ago), nor do I see patches for them included in
> the existing Debian package, so the package in Woody shouldn't be
> considered safe.
Ok, thanks for that note.
The problem is that patches for woody must be
only security fixes, so is there a way to apply only the security
patches to make our 2.14 release safe ?
I'm pretty sure the woody issue is quite sofisticated to solve, moreover
when we know that sarge will fix all that with providing a safe version...
Any advices are really welcome as I'm just starting to maintain the
Bugzilla Debian package, feel free to give me comments and advices then
;)
--
Alexis Sukrieh <sukria at sukria.net>
http://www.sukria.net
« Quidquid latine dictum sit, altum sonatur. »
Whatever is said in Latin sounds profound.
More information about the developers
mailing list