See $URL <3.1.4 (we do not seem to ship 3.1.x): Unauthorized Bug Change <2.20.6, <2.22.4, <3.0.4, <3.1.4: XSS <3.0.4, <3.1.4: Account Impersonation Requesting CVEs.
Unauthorized Bug Change: CVE-2008-2104 XSS: CVE-2008-2103 Account Impersonation: CVE-2008-2105 (according to Steve's interpretation, only 2.23.x < 3.x is affected, so we do not even ship a version which is affected by this).
The new versions are in the tree. Targets: - 2.20.6: alpha amd64 ia64 ppc ppc64 sparc x86 - 2.22.4: ia64 ppc ppc64 sparc x86 - 3.0.4: alpha amd64 ia64 ppc ppc64 sparc x86
ppc64 stable
amd64/x86 stable
alpha/ia64/sparc stable
ppc stable
Fixed in release snapshot.
Removed vulnerable versions. webapps done.
Time for glsa vote here. I vote NO.
NO, too, and closing.