We just deployed the suggested patch on production. Thanks for reporting
the bug.
Just for you to know, I'm slowly taking over some knowledge on the error
tracker, and things might be moving a bit in the coming months (like
converting to git, etc...)
** Changed in: errors
Status: New => Fix Released
--
You received this bug notification because you are a member of Daisy
Pluckers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2046565
Title:
XSS in error message display function (problem-not-found)
Status in Errors:
Fix Released
Bug description:
https://errors.ubuntu.com/?problem-not-
found=%3Ciframe%20src=javascript:alert(0)%3E%3C/iframe%3E
This deployment of the error tracker also lacks security headers such
as CSP, and imports Yahoo APIs via plain HTTP.
(Also, TLSv1.0 and v1.1 and many of the currently supported TLSv1.2
cipher suites ought to be disabled on any production sites nowadays.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/errors/+bug/2046565/+subscriptions
--
Mailing list: https://launchpad.net/~canonical-ubuntu-qa
Post to : canonical-ubuntu-qa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~canonical-ubuntu-qa
More help : https://help.launchpad.net/ListHelp
