From ${URL} : The following flaw was reported against tcllib: User supplied input is directly inserted into the <textarea> as default value, e.g. a textarea named 'ta' with a parameter of ta=XXX results in `<textarea>XXX</textarea>` This can be used to break out of the <textarea>-context and insert arbitrary HTML content such as <script>-Tags. The attack is possible using HTTP GET requests as well as POST and multipart form encoded POST requests. Upstream Issue: http://core.tcl.tk/tcllib/tktview/09110adc430de8c91d26015f9697cdd099755e63 Upstream patch: http://core.tcl.tk/tcllib/vpatch?from=45c988bdfc7b9b74&to=212d1feefe48dcc8 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
+*tcllib-1.15-r2 (03 Mar 2015) + + 03 Mar 2015; Justin Lecher <jlec@gentoo.org> + +files/tcllib-1.15-XSS-vuln.patch, +files/tcllib-1.15-test.patch, + +files/tcllib-1.16-XSS-vuln.patch, +files/tcllib-1.16-test.patch, + +tcllib-1.15-r2.ebuild, +tcllib-1.16.ebuild: + Version Bump, #531864; fix testfailure, #478216; backport security fix, + #541912 +
@arches please go ahead, testsuite included Target: dev-tcltk/tcllib-1.15-r2
amd64 stable
Stable for HPPA.
s390 stable
X86 stable, thanks Justin! :-)
ia64 stable
ppc stable
ppc64 stable
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
+ 30 Mar 2015; Justin Lecher <jlec@gentoo.org> -tcllib-1.15-r1.ebuild: + Clean vulnerable + cleaned.
Arches and Maintainer(s), Thank you for your work. No GLSA's for Cross-Site Scripting (XSS) as per policy. Closing noglsa
