An XSS was found in login.php. But it requires to send malicious data via POST which makes it harder to exploit. E.g. it is not sufficient to click on a link.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726976
Attached patch. Please see included install.txt for installation instructions.
Attached patch. Please see included install.txt for installation instructions.