On Mon, October 6, 2008 11:12, Gerfried Fuchs wrote: > Hi! > > > Copy to debian-release because this question is rather a question to > the release team, even though it's extremely late and hope is pretty low > ... > > > * Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-03-19 20:15:43 CET]: > >> On Wednesday 19 March 2008 18:45, Christian Perrier wrote: >> >>> So, would an NMU *not* covering the security issue interfere with a >>> security update ? >>> >>> Again, I'd be happy to do the ecurity update but I need a patch. I >>> tried to have a look at the issue but it requires skills I don't have. >>> >> >> You would not interfere with any work from our (security team) point of >> view. Moodle does not use the code of this specific vulnerability so no >> patch is needed. >> >> The bug itself stays open until the embedded smarty code has been >> removed, because a next smarty bug could of course affect moodle. > > Thijs, do I perceive it correctly that you just forgot to lower the > severity of this bugreport? From what I see this bug doesn't really justify > keeping moodle out of the release. Unfortunately this hasn't get addressed > in months (noone tracking this package seem to actually have cared?!) so I > would be surprised if the release team would allow it back into lenny. > > On the other hand, the package hasn't changed at all since then, and > that it got removed because of this bugreport which was mistakenly left at > high severity seems like it had been an unfortunate error itself, too. > Would it be possible to get moodle back into lenny given that the > only reason (to my knowledge) was this mistakenly high severe set bugreport > and no other serious or higher bugreports were filed against this package > in months?
I'm not sure where you see that the severity is unjustified? As far as I know it still contains and uses an embedded code copy which is present as a separate package in the archive. I think that is a serious issue and don't see why it should go unresolved. It has a similar problem with libphp-phpmailer. It has an XSS bug open without any action for months. It has had three NMU's in a row. It's currently orphaned, new maintainership is there but is only just starting up as it seems. There are many more open security issues in stable: http://security-tracker.debian.net/tracker/source-package/moodle Security issues are frequent in this package so it needs an active maintainer to keep up with it, which it currently hasn't got. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
