Hi, On Monday 12 March 2007 10:13, Javier Fernández-Sanguino Peña wrote: > On Sun, Mar 11, 2007 at 07:31:16PM -0700, Cameron Dale wrote: > > unstable (at least, that's how I understand it). So, all the > > fixes for those bugs have been backported to the 2.1 version that > > is in unstable. > > You *should* update the version in unstable ASAP. Freeze only > applies to testing, *not* to unstable. The way to get securit fixes > into testing (when frozen) is through unstable. Even though your > package is not in testing you should make every effort to keep > unstable security-bug-free. Please mention all CVE names in the > changelog fixed in your new upload (like you did for 2.1-7)
All open issues are fixed in unstable in 2.1-7, see http://security-tracker.debian.net/tracker/source-package/torrentflux Some more thoughts: - when I looked through it, I found far fewer issues than I expected (though I still think that the code quality is very bad). However, I am also not a PHP expert and would not consider what I did to be a full audit. - AFAIR most if not all issues were only for authenticated users, so maybe one could add a note that it should be only used with trusted users. Quake 2 was released with Sarge in this way while having lots of security issues. - in November or so I had a discussion with Micah on IRC and we agreed that we did not see any problems with it being released with etch. I didn't notice the discussion on debian-release, though. Cheers, Stefan _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
