[Pkg-roundcube-maintainers] Bug#536498: Please backport roundcube CVE-2008-5619
Gerfried Fuchs
rhonda at deb.at
Mon Jul 13 12:27:31 UTC 2009
Hi again!
* Holger Levsen <holger at layer-acht.org> [2009-07-13 12:10:41 CEST]:
> On Montag, 13. Juli 2009, Gerfried Fuchs wrote:
> > - in this case it was Holger Levsen. Though, I just asked him and he
> > said that he doesn't care about etch-backports.
>
> given that its not possible/desirable to have backports from squeeze in
> etch-bpo (see
> http://lists.backports.org/lurker-bpo/message/20090220.215045.8a623425.en.html)
> Alexander Wirt and me have decided last week, that it's best to remove the
> roundcube backport from etch-bpo.
Erm, you propably did misread that mail:
,--------------------------------> quote <--------------------------------
| But remember that contributors are now allowed to add packages to
| etch-bpo which have a higher version than in lenny (because they are
| allowed to add versions from squeeze).
`--------------------------------> quote <--------------------------------
That's extremely far from "not possible/desirable" - and especially
when it comes to security issues it is more than desirable to have them
fixed.
... which, in the case of this bugreport, is done. 0.1.1-9 did fix
CVE-2008-5619 for etch-backports, so it rather seems to me that Benjamin
got some things mixed up, unless the claimed patch in that upload wasn't
complete.
> Of course, if Gerfried wants to cherrypick and backport the neeeded fixes to
> roundcube 0.1 and upload that to etch-bpo, he can do that. I'd still
> recommend to upgrade to lenny, but thats the beauty of free software: there
> is more than one way to do it and everybody can get involved :-)
Unfortunately, lenny doesn't ship roundcube so that doesn't buy one
anything.
Would be great to get things straightened out. Benjamin, do you claim
the package in etch-bpo affected by this bug and the fix to be
incomplete, or what's the deal? I'm especially puzzled by your original
version you reported it again to be 0.2.2-1 which is by far close to
anything that's in bacports - or way over the version that it was fixed
in already. Do you claim by that that the patch got removed again, or
were you just puzzled?
Thanks!
Rhonda
More information about the Pkg-roundcube-maintainers
mailing list