On Tuesday 25 March 2008 19:14, Olivier Berger wrote: > It looks to me as if bug #435936 wasn't completely fixed for etch/stable > (considering http://security-tracker.debian.net/tracker/CVE-2007-4048, > thanks to Thomas Viehmann for pointing this out). > > Btw, I don't exactly know why bug #435936 could be archived, even though > there was a found reported in > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=31;bug=435936)
I think this is because it was completely fixed in testing/unstable, and to keep it open in sarge or etch, you need to use the tags with those names. At least that's what I understood it, the archiving thing is also a bit opaque to me :-) > Anyway, I think that the fix proposed in > http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=15;filename=CVE-2007-4048. >patch;att=1;bug=435936 should apply to 0.9.16.011-2.2 too. > > I expected than applying for maintainer on phpGroupware would bring in > dealing with these kind of issues ;-) > > Will try and propose a fix as soon as possible... but considering the long > period during which eventual stable installations of > phpgroupware-phpsysinfo have been vulnerable (if it indeed applies to the > stable version), I suppose harm is already done, so I'm not sure there's a > cas of emergency here:( Indeed, this doesn't need to be fixed instantly but a fix would be appreciated. Please follow the instructions as laid out in the Developer's Reference on security updates. If you are going to fix this issue during the next week, we also still support sarge. We could provide an update for sarge aswell (including the other CVE id open for sarge?) Fixing sarge can still be done, but only if it's easy enough to be worth the trouble, else don't bother with it. If it's after 1 April we are not going to fix it in any case. Thijs
pgpIM2VnJmzF5.pgp
Description: PGP signature
