Only two remote holes in the default install, in more than 10 years

oh no, a lame xss bug in a 3rd party cgi script that runs on a solaris web server hosting a website that uses no cookies. surely this is big news!

You have achieved the difficult task of making CVS less usable.

This was posted on full-disclosure August 6th.<p><a href="http://seclists.org/fulldisclosure/2008/Aug/0074.html" rel="nofollow">http://seclists.org/fulldisclosure/2008/Aug/0074.html</a>

I cant decide if that's classy or cheeky.<p>But regardless, I dont know if a bug in cvsweb counts as openbsd - does it?

Is that a hole? Is that a default install?

OH NOEZ! U G0TZ MY CVSWEB COOKEEZ!