-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, It was recently discovered that our puppet-gerrit module configures Gerrit in a way which makes it vulnerable to a XSS attack. This stems from our configuration marking text/html as a 'safe' mimetype[1]. This configuration change was first made in May 2014[2] but we believe it did not begin working until Feb 2015[3]. Using this, a user could potentially craft a review which when visited at the proper url would have access to the account information of any user visiting that url. It is highly recommended that all downstream users of this module apply this commit[4] to protect themselves against this attack. Thanks, Greg 1: https://review.openstack.org/#/c/332219/ 2: http://git.openstack.org/cgit/openstack-infra/puppet-gerrit/commit/?id=346618da6d0527335b67d17dea78f7d6c55fb129 3: http://git.openstack.org/cgit/openstack-infra/puppet-gerrit/commit/?id=c53838ae2246f74fd5206a1bdb7b8cac656529d9 4: http://git.openstack.org/cgit/openstack-infra/puppet-gerrit/commit/?id=8573c2ee172f66c1667de49685c88fdc8883ca8b -- Gregory Haynes greg at greghaynes.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXaYFFAAoJELwhhWqbFNDRb00P+gPHUKoKl8pH7wDn/cCB8AZN yNZ5jlQ0GjB0+UnIqkrMbOQt4+CjPQup4kvQZRDNrBZll6If6J2usQFl1doAuR+T orFObJfe9hL4nJRcHt7FOrCkWESJxOExmMUvHrS2EvHogPhYdATsfJ2trzZFqOpp i/WY1+Ne42FTCvxavX8tPcpYp++ij38CPiM8LdBvKy/x/PYo3hjTQRmeJ9SOG4hL ifsaAFnZcnlUhXE2qyfQE019QDtVG1QJv7sDWlkyde7UmmJNc8uaHZA/BP9HPDFU 7maZgOt/UGV0EQ5ILFC0ikYdpsQLDOdRzpQRFn6hYly/llVm9mtAVDvvUCw7WBnp Kv8RI/MjjSvXlQs0fYmQB2D4sagdBVIEm/qt6SoN3oGNBifSbj3sLVQtb94gaEaY WT6Ix/QYgLTVePyV+uvicVwfBMz6w3/rLn11faUklxegCcxUJDEXbPXLFz4b5YHv rLJMegxraUj2cQn5kQe5D5NTEj6tpOClvC2Pg8kGIjVphbwgGZ4N/RuahArxDlmZ 5D2VRtajYGfpGaCjCzmtbpyAoljJINiv0ffLEQnezV5WF07aAzrgGTARlvhOJ3TV KFuyttTzQk5lKAmylJg+mjwhKhZlP1nhznkAlc5qI7DLSzade2DC15BMJK9FoElT 6jBboGQNImnEd0VCbk/D =0Xkq -----END PGP SIGNATURE-----