Author: stef-guest
Date: 2005-12-02 17:12:55 +0000 (Fri, 02 Dec 2005)
New Revision: 2928
Modified:
data/CVE/list
Log:
saxon works as intended but might surprise users
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2005-12-02 16:20:04 UTC (rev 2927)
+++ data/CVE/list 2005-12-02 17:12:55 UTC (rev 2928)
@@ -533,7 +533,12 @@
CVE-2005-3758 (Cross-site scripting (XSS) vulnerability in Google Mini Search
...)
NOT-FOR-US: Google search appliance
CVE-2005-3757 (The Saxon XSLT parser in Google Mini Search Appliance, and
possibly ...)
- TODO: check, whether this is related to libsaxon-java
+ NOTE: XSLTs can call arbitrary java methods in libsaxon-java. This
behaviour
+ NOTE: is well documented and can be switched off. Let's hope that all
users
+ NOTE: of saxon are aware of this. Filed a whishlist bug to add a
warning.
+ NOTE: Current rdependencies:
+ - ooo2dbk <not-affected> (uses it's own xslt unless overridden by
command line arg)
+ TODO: check zope-zms (stef-guest: pinged maintainers)
CVE-2005-3756 (Google Mini Search Appliance, and possibly Google Search
Appliance, ...)
NOT-FOR-US: Google search appliance
CVE-2005-3755 (Directory traversal vulnerability in Google Mini Search
Appliance, and ...)
_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits
