On Sun, 15 Nov 2009 11:28:47 +0200 Yavor Doganov wrote: > Michael Gilbert wrote: > > On Sun, 15 Nov 2009 10:51:56 +0200 Yavor Doganov wrote: > > > Do I understand correctly that the proper fix for this > > > vulnerability is to disallow adding data:/javascript: URIs with > > > Bookmarks -> Add to bookmarks menu, preferrably informing the user > > > with a dialog? > > > > yes, that appears to be what the (as-yet unapplied) mozilla patch does.
i marked it serious because the problem must be fixed before squeeze is released. however, so if the current transitions make more work, go ahead and wait until it makes more sense. > OK, I prepared a patch which I'll send upstream in a few minutes. > > One more question: There's an ongoing xulrunner-1.9.1 transition > that's taking longer than expected, so a new upload will reset it. > Should I upload to sid with urgency=high or first wait for the > transition to complete? > > > Also, does this warrant uploads to stable and oldstable? > > > > the issue itself is not too severe from a security perspective, so a > > DSA will not be issued; however, you can (and probably should) fix > > this via stable-proposed-updates. > > I see; will proceed accordingly. What about oldstable? by stable-proposed-updates, i meant both an spu and an ospu. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
