If the video filter man in the middle XSS (eg via evil DNS) is classified as a security issue, shouldn’t the current update status process (eg via admin/reports/updates/update) be marked a security issue as well?
As far as I can see there are no authenticity checks whatsoever on the release data and download.
This can be used to
1 - prevent reception of update alerts via the update status channel
2 - entice admins to install modules from untrusted servers
(this has been cleared by the secteam for public discussion, the suggestion was the Infra queue, but it would need Core support as well).