On 20/05/2021 05:11, Salvatore Bonaccorso wrote:
Thanks, so I have to assume we are protected since 63d6cb569d4e ("Refresh patches and patch out react-app URL handlers") in the packaging repository, which would be in debian/2.15.2+ds-1.Is this correct?
To be precise, that commit patched out the whole `/new` prefix when it first appeared, and before this vulnerability was introduced. The vuln appears at 3470ee1fbf9d424784eb2613bab5ab0f14b4d222 (3/11/2020), released as part of 2.23.0, and a few days later it is merged into Debian, and removed when refreshing patches in 7f0d9ba6d.
In a nutshell: we never released this code :) -- Martina Ferrari (Tina)
