Thijs Kinkhorst wrote: > > All affect Sarge. > > I've prepared updated packages for sarge. My updated package for sid is > still pending with my sponsor Luk Claes. The updated packages for sarge > are available here: > http://www.a-eskwadraat.nl/~kink/mantis_sec/ > > They are not signed since I'm not a DD yet. > Please let me know if you have comments or questions.
The included patches look fine and correlate to what I extracted from the interdiff. But where's the fix for CVE-2005-3337 aka mantis bug 5959? The mantis bug is non-public, but according to the description it's a cross-site-scripting vulnerability in mantis/view_all_set.php They claim to have fixed it in 0.19.3 as well, but the interdiff doesn't show anything. So CVE-2005-3337 either doesn't apply to 0.19.x and the changelog was a mistake or the fix is missing in 0.19.3 or the fix is very non-obvious. But it should be checked back with upstream. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]