From ${URL} : A reflected cross-site scripting flaw was reported in Synchronizing Key Server (SKS), and OpenPGP keyserver. A remote attacker could use this flaw to perform a cross-site scripting attack. References: https://bugzilla.mozilla.org/show_bug.cgi?id=952077 https://bitbucket.org/skskeyserver/sks-keyserver/issue/26/unfiltered-xss https://bitbucket.org/skskeyserver/sks-keyserver/pull-request/30/issue26-fix-a-non-persistent-cross-site https://bitbucket.org/kristianf/sks-keyserver-patches/src/tip/Issue26?at=default http://seclists.org/oss-sec/2014/q2/225 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Indeed. Once we release a 1.1.5 of SKS an ebuild will be created for it.
Use CVE-2014-3207 has been assigned to this issue.
Thank you on the CVE.
*sks-1.1.5 (05 May 2014) 05 May 2014; Manuel Rüger <mrueg@gentoo.org> +sks-1.1.5.ebuild, -files/bdb_stubs-gentoo.patch, -files/sks-1.1.4-ECC_OID_fix_x86.patch, -files/sks-1.1.4-man_url.patch, -sks-1.1.2.ebuild, -sks-1.1.4-r1.ebuild, -sks-1.1.4.ebuild: Version bump. Cleanup old. Proxy commit for Kristian Fiskerstrand. Fixes bug #509352 (CVE-2014-3207). Recent version in tree. Cleaned up vulnerable ebuilds. No stable version.
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.
