I think the problem does not only apply to php packages. For instance, bugzilla in edgy is 2.22-1, which has been two security-fix releases older than upstream. Of course, similar issues are more serious for some php packages, e.g. phpbb2 2.0.21-3 in edgy have 4 CVE's unfixed. The same applies to dapper versions of bugzilla 2.20-1 and phpbb2 2.0.18-2, with even more CVE's unfixed. I think we can find a couple dozens packages with similar problems.
Packages in main are better maintained, but many packages universe usually get no security fixes. Debian may have a newer version in testing/unstable, hence they may not need fix anything in stable- security or testing-security since the version in testing/unstable may be fixed already. I only started to realize this problem recently. In old days, I believe that packages in ubuntu universe are equally secure as debian stable. Looks like I am plain wrong. Are we aware of such problems? -- wordpress needs security updates in dapper and edgy? https://launchpad.net/bugs/89654 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
