Hi! Copy to debian-release because this question is rather a question to the release team, even though it's extremely late and hope is pretty low ...
* Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-03-19 20:15:43 CET]: > On Wednesday 19 March 2008 18:45, Christian Perrier wrote: > > So, would an NMU *not* covering the security issue interfere with a > > security update ? > > > > Again, I'd be happy to do the ecurity update but I need a patch. I > > tried to have a look at the issue but it requires skills I don't have. > > You would not interfere with any work from our (security team) point of view. > Moodle does not use the code of this specific vulnerability so no patch is > needed. > > The bug itself stays open until the embedded smarty code has been removed, > because a next smarty bug could of course affect moodle. Thijs, do I perceive it correctly that you just forgot to lower the severity of this bugreport? From what I see this bug doesn't really justify keeping moodle out of the release. Unfortunately this hasn't get addressed in months (noone tracking this package seem to actually have cared?!) so I would be surprised if the release team would allow it back into lenny. On the other hand, the package hasn't changed at all since then, and that it got removed because of this bugreport which was mistakenly left at high severity seems like it had been an unfortunate error itself, too. Would it be possible to get moodle back into lenny given that the only reason (to my knowledge) was this mistakenly high severe set bugreport and no other serious or higher bugreports were filed against this package in months? Thanks for responses, Rhonda -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]