The diff between 0.6.1 and 0.6.2 is only the commit that fixes this. So please stabilize. Previously, setting `innerHTML` was used to display the statuses. These could include content communicated from the remote VNC server, allowing the remove VNC server to inject HTML into the noVNC page. This commit switches all uses of `innerHTML` to use `textContent`, which is not vulnerable to the HTML injection. Fixes a XSS vulnerability in the noVNC status display which could allow remote VNC servers to inject arbitrary HTML into the noVNC display page. Reproducible: Always
amd64 stable
x86 stable. Maintainer(s), please cleanup.
GLSA Vote: No
Cleaned: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c0ccba76d1f70d4b8928b337d6fba9d46214f00f