On Thu, 23 Jun 2011 14:41:02 +0200, Tanguy Ortolo wrote:
Following the instructions of the security team, I have recently
uploaded new versions of my package dokuwiki for stable and
oldstable,
fixing a flaw in the RPC interface that allows to bypass the ACL
system
in some very specific cases. I am not sure that you are already aware
of
my upload.
Your last sentence above confuses me slightly. I approved the uploads,
and you should have received "ACCEPTED" mails for them from the archive
software indicating that they had moved in to the proposed-updates
queues; indeed, the upload to stable will be part of Saturday's point
release.
Now, another flaw has been discovered some days ago, allowing to
insert
arbitrary JavaScript links in the following case: a wiki page
references
an RSS feed; this feed contains specially crafted content. These are
only JavaScript links, that require users to click on it, but that
can
be inserted from an external control over the referenced RSS feed
only.
This affects both the stable and oldstable version: can I send an
updated package, fixing both the ACL and the RSS problems?
"Updated" as in a new revision building on those you previously
uploaded; the packages containing the ACL fixes are already in
{oldstable-,}proposed-updates, so can't be replaced. Please prepare
packages for both stable and oldstable and send the debdiffs to
debian-release for approval.
Regards,
Adam
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive:
http://lists.debian.org/[email protected]
