On Tue, Dec 11, 2007 at 11:50:25AM +0100, Thijs Kinkhorst wrote:
> On Tuesday 11 December 2007 09:37, [EMAIL PROTECTED] wrote:
> > Log:
> > CVE-2007-6205 fixed in serendipity 1.2.1-1
>
> > CVE-2007-6205
> > RESERVED
> > + - serendipity 1.2.1-1 (low)
>
> This issue is: XSS through remote RSS feeds.
>
> I would rate it as unimportant myself: it requires using this specific
> plugin,
> only with an OPML-format feed, and then the remote maintainer of that feed
> needs to be interested in getting your password, and will need to put
> malicious script into the url-parameter of that feed (breaking the feed for
> everyone else, so it's noticable and tracable who did it). To me this
> scenario sounds highly unlikely.
>
> I propose to mark it as no-dsa for stable, and even to lower the severity to
> unimportant. Comments?
no-dsa should be fine I guess.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
