Hi, On Mon, Feb 18, 2008 at 06:26:38PM -0500, Chuck Hagenbuch wrote:
> The 2.1.4 patch seems to have a bunch of extra stuff in it - I would > just do the changes to Group.php, sql.php, and browse.php. If you're > also including different fixes those would have to be reviewed > separately - those changes are a bit harder to follow. I apologize because this patch includes *two* security patches: - [jan] SECURITY: Fix privilege escalation in Horde API => from 2.1.6 - [cjh] SECURITY: Fix unchecked access to contacts in the same SQL table (Bug #6208). => from 2.1.7 (patch spoken in this thread) For 2.0.2, I include one more security patch: - [cjh] Close several XSS vulnerabilities with address book and contact data. => from 2.0.5 For easy reviewing, I include comments in my patches like: --8<-- // backport security patch from Turba 2.*.* --8<-- > >Note: FYI, Debian security team requested CVE id for this security issue. > > We got the report from you, so unless you created one I don't think > there is one. Or do you mean that they started the process of creating > one from CVE? Yes, they started the process of creating one. We're waiting it. Regards, -- Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
