sean finney wrote: > right. that package is the same the normal etch version, plus a few > unrelated > security fixes. so both should be broken, but that one should be a little > safer :) > > anyway, after speaking with the SRM's they've decided that this is an > acceptable update to stable, so the version i posted on people.debian.org > should make it into the next point release of stable. thanks to everyone who > spent the time to test it and report back.
Sean, thanks for the update. This means that the regression introduced with the security upload is going to stay there for a while (until we get a point release of stable)? If so... it sounds pretty bad. Debian is used widely in the hosting space, where PHP is bread-and-butter. And this is a dataloss bug: users post their forms, and any passable CMS will run html-ish content past strip_tags() which will eat valid user input. Oooops! I'm not convinced that it's a good idea to sit on this regression... the options seem to be - new secure package, eats data for breakfast (default) - pin the package to the old vulnerable, non-data-eating - use unofficial packages - avoid etch cheers m -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
