On 20/05/2021 05:11, Salvatore Bonaccorso wrote:
Thanks, so I have to assume we are protected since 63d6cb569d4e
("Refresh patches and patch out react-app URL handlers") in the
packaging repository, which would be in debian/2.15.2+ds-1.
Is this correct?
To be precise, that commit patched out the whole `/new` prefix when it
first appeared, and before this vulnerability was introduced. The vuln
appears at 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020),
released as part of 2.23.0, and a few days later it is merged into
Debian, and removed when refreshing patches in 7f0d9ba6d.
In a nutshell: we never released this code :)
--
Martina Ferrari (Tina)