Sadly, the upstream fix doesn't address the root cause of the url parameter problem (and we've reported to them at least one exploit that is unfixed by their patch), and I'm working on the Foswiki fork of twiki, which is addressing the security issues we know about in what I consider a more thorough way,
I have not had time to do more serious work on TWiki - including the debian package. Unless someone steps in to work more actively on the packaging, I would have to agree that its better to remove TWiki from Debian at this point. Sven Florian Weimer wrote: > * Dominic Hargreaves: > > >> I'm disappointed that the code execution isn't hasn't been addressed >> (in testing or stable) but upstream do provide a trivial patch for >> the version of twiki we have in Debian. If I was to NMU this (I've >> already applied it manually on my system) would this mitigate the >> need to remove twiki? >> > > We'd rather see someone testing a more complete patch (collecting > fixes for all the reported problems) on a production system. > > > -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
