You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flex.apache.org by Justin Mclean <ju...@classsoftware.com> on 2016/08/27 00:10:42 UTC

Re: [jira] [Updated] (FLEX-35123) DOM XSS vulnerability in history.js

Hi,

Given this is public (but IMO not serious) should we fix it and make a point release of the Flex SDK?

Simplest option IMO would be apply the patch to the 4.15 release branch and make a 4.15.1 release, rather than make a full release from the develop branch. That being said the last release was 6 months ago.

Thanks,
Justin

Re: [jira] [Updated] (FLEX-35123) DOM XSS vulnerability in history.js

Posted by Alex Harui <ah...@adobe.com>.

On 8/26/16, 5:10 PM, "Justin Mclean" <ju...@classsoftware.com> wrote:

>Hi,
>
>Given this is public (but IMO not serious) should we fix it and make a
>point release of the Flex SDK?
>
>Simplest option IMO would be apply the patch to the 4.15 release branch
>and make a 4.15.1 release, rather than make a full release from the
>develop branch. That being said the last release was 6 months ago.

If I understand correctly, this is almost theoretical:  someone would have
to be using Safari <= 2.0.4.

If that's true, IMO, there is no need to rush.  Accept the patch.  Start
the security fix process.  If someone needs it, they can get it from the
repo.
But you are right that it has been 6 months.  Time to discuss another
release.  But we should get FlexJS 0.7.0 out the door first.  Maybe a
BlazeDS update as well.

-Alex