We've been working for some time now on getting Slash to utilize CSS and also updating it's old crufty HTML while we're at it. We've moved Slash to HTML Strict 4.01. Slashcode.com and use.perl.org are currently running on this code. You can take a look at the markup, or log in and take a look around.
If you'd like to see what Slashdot might look like you can activate the Slashdot stylesheet on Slashcode.com in Firefox by choosing View > Page Style > Slashdot. I'm sure you can do the same thing with other browsers but you're on your own for the specifics of how to do so.
Both of these issues were found by Michael Krax who we understand will be publishing something about them shortly. Again, we thank Mr. Krax for responsibly reporting these issues to us and letting us give administrators running Slash time to upgrade their code.
The first security bug was introduced to Slash in May 2002. The second was introduced in October 2004. Both have been fixed in CVS since Dec. 8, 2004. Neither is present in our last official release, version 2.2.6.
For security reasons, we don't want to reveal too much of what's going on until everyone has had a chance to upgrade, but we will say that you can temporarily make your site immune to the vulnerability by removing the symlinks to search.pl and submit.pl.
We are urging all sites which are using a version of the code from CVS to upgrade now to the CVS tag R_2_5_0_41. Sites which are using the 2.2.6 tarball, the latest official release, do not need to upgrade (the issue is not present there).