From ${URL} : > RT 4.2.0 and above are vulnerable to a cross-site scripting (XSS) > attack via the cryptography interface. This vulnerability could > allow an attacker with a carefully-crafted key to inject JavaScript > into RT's user interface. Installations which use neither GnuPG nor > S/MIME are unaffected. Fixed by: https://github.com/bestpractical/rt/commit/36a461947b00b105336adb4997d1c7767d8484c4 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Almost 2 weeks now/ Awaiting maintainer to acquire patch from commit/36a461947b00b105336adb4997d1c7767d8484c4 and runtest.
commit 30c18705dcfa3ee3f51ffa025e45a89f402d5677 Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Wed Nov 18 13:02:33 2015 -0500 www-apps/rt: Remove Insecure Version Susceptible to cross-site scripting in cryptography interface security issue. Bug: 558424 Package-Manager: portage-2.2.20.1 commit 5c322ee493f1c3dd6c14d0370e2f5fb891da996c Author: Aaron W. Swenson <titanofold@gentoo.org> Date: Wed Nov 18 13:01:02 2015 -0500 www-apps/rt: Version Bump Fixes cross-site scripting in cryptography interface security issue. Bug: 558424 Package-Manager: portage-2.2.20.1
Maintainer(s), Thank you for your work. Closing noglsa.