A hardcoded internal placeholder string has been replaced with a random one. This closes a hole where security checks in inline style attributes could be bypassed, injecting JavaScript code that could execute in Microsoft Internet Explorer.
maintainers are already working on ebuilds. Anybody knows if 1.4.X is also affected?
new ebuild in portage, 1.4.x seems unaffected and we can close without a glsa.