On Wed, Oct 22, 2008 at 12:21:47PM -0700, Chris Hall wrote: > That's correct, Dominic. Our Japanese subsidiary released 4.22 and we > were due to release it shortly afterwards. Unfortunately, in the time > between their release and ours a further security issue was > discovered, necessitating a delay in our release of 4.22, and in > fact, requiring that we skip 4.22 and go directly to 4.23, which both > SAKK and SAUS will be releasing concurrently either later this week > or early next.
Is there any further news of this? I'm particularly interested, since our (Debian) release is hopefully very near now, to get any security-relevant changes in. One of my colleages from Debian has extracted the XSS-related issues from MTOS-4.22-ja[1] but I would be more confident in applying this if it came as patches from the same source as the movabletype.org releases I'm currently packaging. Extracting the security-relevant patches from the above release was somewhat cumbersome and error-prone and as noted in the Debian bug there were some spurious-looking changes that didn't look correct so I suspect that release wasn't QA'd in the normal fashion? Thanks, Dominic. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503114#5 -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
