I've opened a follow-up bug for the rest of the security improvements that could be done: bug 2076665.
-- You received this bug notification because you are a member of Daisy Pluckers, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2046565 Title: XSS in error message display function (problem-not-found) Status in Errors: Fix Released Bug description: https://errors.ubuntu.com/?problem-not- found=%3Ciframe%20src=javascript:alert(0)%3E%3C/iframe%3E This deployment of the error tracker also lacks security headers such as CSP, and imports Yahoo APIs via plain HTTP. (Also, TLSv1.0 and v1.1 and many of the currently supported TLSv1.2 cipher suites ought to be disabled on any production sites nowadays.) To manage notifications about this bug go to: https://bugs.launchpad.net/errors/+bug/2046565/+subscriptions -- Mailing list: https://launchpad.net/~canonical-ubuntu-qa Post to : canonical-ubuntu-qa@lists.launchpad.net Unsubscribe : https://launchpad.net/~canonical-ubuntu-qa More help : https://help.launchpad.net/ListHelp
