On 26.07.2010 15:08, Alexander Reichle-Schmehl wrote:
Hi!
* Giacomo A. Catenazzi<[email protected]> [100607 09:29]:
Please update lxr-cvs to the new stable version. The new version 0.9.8 of
lxrng fix several cross-site scripting vulnerabilities (CVE-2009-4497) reported
in bug #575745
The new version was published 2010-01-15 on
http://sourceforge.net/projects/lxr/
Yes, I'll push the security fix.
Note that the new upstream version is not a releasable
version: it was an alpha version with the security fix added,
but still it is not really working.
Any news on this? There are four security related RC bugs open against
lxr and lxr-cvs. And as popcon seems to report only one actively used
installation, I wonder if removing these packages wouldn't be an option.
"Seb" (I know only the nickname on IRC) told me few days ago, that it
was ready to release a fix for the 4 CVEs for lxr-cvs.
I was planing than to test and port the fixes to lxr.
Probably should not be put anymore on stable releases, but it is IMHO
a base for further developements (debian sources, etc.), and
considering that CVE are issued, I think the lxr is still used and
checked (so possibly it is not in a so bad shape).
Note: probably one of the two package should be removed, but I'm
still undecided which one
ciao
cate
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
