Gerfried Fuchs wrote: > Hi! > > * Jeremy T. Bouse <jbo...@debian.org> [2010-02-01 16:12:06 CET]: >> Gerfried Fuchs wrote: >>> * Jeremy T. Bouse <jbo...@debian.org> [2009-11-27 19:30:47 CET]: >>>> I am currently working on getting 1.4.4 ready to go and remove David >>>> Gil from the package per (#551636) >>> Actually, I'm not sure, does this address Moritz' concerns, from a >>> security team's point of view, especially with respect to stable? I >>> don't see any update that would have fixed the security issues for >>> lenny, what is your plan for that? >> 1.4.4 reportedly fixes all current outstanding CVS reports. Short of >> going and simply upgrading the old versions trying to go through the >> code and find the specific fixes to these issues, as I've found no patch >> files specific to the problem, would take much more time than I have >> available when a fixed upstream version is already available in the >> repository. 1.4.4-1 hit the unstable repository in late November and I >> had a few fixes until 1.4.4-3 was migrated to testing just before Christmas. > > You are aware that maintaining a package doesn't mean only taking care > for it in unstable but also to at least try to give the security team a > helping hand for trying to get things straight in a stable release? I > wonder, how severe are the issues actually? Is it better to pull the > package from the stable release (like Moritz suggested already) if you > don't see the posibility to get the issues fixed for stable, or do you > consider the issues minor enough to ignore them for this time - but what > will happen when more severe ones pop up? > > Thanks, > Rhonda
If I knew exactly what fixes occurred between 1.3.9 and 1.4.4 that
fixed the CVS reported problems I'd be more than happy to fix them and
get a new 1.3.9 version made available for the security team to release.
However, there are no patches that specifically identify fixing the
problem and trying to perform a diff between 1.3.9 and 1.4.4 garners so
many changes in the code base that identifying will take much more time
than I currently have.
All I know of the problem is from the vague information given in the
CVS reports which are all listed as medium or high as they report
cross-site scripting and SQL injection issues. BASE itself confirmed the
problem and released 1.4.4 to fix them.
If security team wants to simply pull 1.2.7-4 from etch (oldstable) and
1.3.9-1 from lenny (stable) go ahead and recommend pulling acidbase
from squeeze/testing if it's required to be installed on any systems
running stable or oldstable. PopCon shows low numbers of installs though
doesn't distinquish if they are oldstable, stable, testing or unstable
installations.
signature.asc
Description: OpenPGP digital signature
