Hi David, I've put Raphaël in cc as he is my Grand Master (and sponsor) on galette.
Le 13/03/2015 18:13, David Prévot a écrit : > Package: galette > Version: 0.8+dfsg-1 > Severity: serious > Tags: security upstream > > The galette package ships an embedded copy of ZendDb, but AFAICT, the > version shipped (2.3.1) is affected by several security issues: > CVE-2014-8089 and CVE-2015-0270 (aka ZF2014-06 and ZF2015-02). > > Shipping embedded copy instead of packaging it has a cost… > > https://anonscm.debian.org/cgit/collab-maint/galette.git/commit/?id=2e33ef76c470a0e7a9727ba4c281a7e3525e6720 Believe me, I was not proud of that commit, but still hopping to have galette-8.0 in jessie, I didn't considered to package or ask for packaging ZendDB V2... I've filled an upstream bug for that issue : http://bugs.galette.eu/issues/911 Of course if they provide a release with a correct version of ZendDB, I'll package it. > FWIW, I’m willing to introduce the php-zend-db package (#780422) as soon > as upstream fixes its build system. Great news, I follow the ITP. Do you think, in between, it's worth to make a package which remove the upstream embedded ZendDB and embed a proper (let says 2.3.6) version of it. -- François-Régis
signature.asc
Description: OpenPGP digital signature
