[Secure-testing-commits] r2928 - data/CVE
Stefan Fritsch
stef-guest at costa.debian.org
Fri Dec 2 17:12:59 UTC 2005
Author: stef-guest
Date: 2005-12-02 17:12:55 +0000 (Fri, 02 Dec 2005)
New Revision: 2928
Modified:
data/CVE/list
Log:
saxon works as intended but might surprise users
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2005-12-02 16:20:04 UTC (rev 2927)
+++ data/CVE/list 2005-12-02 17:12:55 UTC (rev 2928)
@@ -533,7 +533,12 @@
CVE-2005-3758 (Cross-site scripting (XSS) vulnerability in Google Mini Search ...)
NOT-FOR-US: Google search appliance
CVE-2005-3757 (The Saxon XSLT parser in Google Mini Search Appliance, and possibly ...)
- TODO: check, whether this is related to libsaxon-java
+ NOTE: XSLTs can call arbitrary java methods in libsaxon-java. This behaviour
+ NOTE: is well documented and can be switched off. Let's hope that all users
+ NOTE: of saxon are aware of this. Filed a whishlist bug to add a warning.
+ NOTE: Current rdependencies:
+ - ooo2dbk <not-affected> (uses it's own xslt unless overridden by command line arg)
+ TODO: check zope-zms (stef-guest: pinged maintainers)
CVE-2005-3756 (Google Mini Search Appliance, and possibly Google Search Appliance, ...)
NOT-FOR-US: Google search appliance
CVE-2005-3755 (Directory traversal vulnerability in Google Mini Search Appliance, and ...)
More information about the Secure-testing-commits
mailing list