severity 446451 normal thanks On Tue, October 16, 2007 09:40, Michal ÄihaÅ wrote: > And it looks to be exploitable only with MSIE with disabled UTF-8 urls.
Yeah... which is not the default. Only exploitable with a specific browser with a specific environment is quite obscure. > BTW: There will be yet another XSS fixed soon (already fixed in SVN, > release will probably happen today), so you should probably wait with > uploading new version :-). For stable, I propose to not release a DSA for this issue (CVE-2007-5386) specifically. If a DSA is needed in the future for another issue we can include the fix then while we're at it. I'll follow Michals advice for waiting for the new upstream before taking more action here. It's not urgent currently. Thijs
