gcsbnzat_private (gcsb) writes: > There is a nasty Cross Site Scripting(XSS) vuln in Slashcode. > This was used a day or so go on slashdot.org and resulted in most > of the site being taken down for an hour or so. The maintainers > of slashcode have patched the problem in CVS but have not even > mentioned it anywhere that I can find. The above is more or less true. The bug was introduced in CVS on June 17 and was fixed on July 1. > This leaves all sites using slash vulnerable to this exploit. That is totally untrue. Very few sites are running Slash from CVS, as the CVS tree is a pre-alpha version. We have not yet even stamped it with a development release number (which will be 2.3.0 as soon as we feel it is stable enough for bleeding-edge users). If gcsb had contacted the Slash coding team before posting to bugtraq, we would have been happy to clarify this. As listed on our SF.net bug page, our security address is securityat_private > If you run a site using slashcode, get the latest CVS. Sites using the latest slashcode release (which is essentially all of them) are unaffected. The latest release is 2.2.5, and its release date is February 7. Such sites should not feel obligated to migrate to the CVS version. Sites running CVS should stay as current as possible at all times, of course. The courageous admins of those sites should probably hang out on the IRC channel given on the slashcode.com homepage (#slash on irc.openprojects.net). And admins of all Slash sites should subscribe to the Announcement and probably General mailing lists, to stay current on these issues (signup information is also on the slashcode.com homepage). We will be making an announcement on those lists momentarily. -- Jamie McCarthy jamieat_private
This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 12:35:24 PDT