Michael Gilbert wrote: > On Sun, 15 Nov 2009 10:51:56 +0200 Yavor Doganov wrote: > > Do I understand correctly that the proper fix for this > > vulnerability is to disallow adding data:/javascript: URIs with > > Bookmarks -> Add to bookmarks menu, preferrably informing the user > > with a dialog? > > yes, that appears to be what the (as-yet unapplied) mozilla patch does.
OK, I prepared a patch which I'll send upstream in a few minutes. One more question: There's an ongoing xulrunner-1.9.1 transition that's taking longer than expected, so a new upload will reset it. Should I upload to sid with urgency=high or first wait for the transition to complete? > Also, does this warrant uploads to stable and oldstable? > > the issue itself is not too severe from a security perspective, so a > DSA will not be issued; however, you can (and probably should) fix > this via stable-proposed-updates. I see; will proceed accordingly. What about oldstable? -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
