Hi Dmitry, 2016-01-25 0:24 GMT+01:00 Dmitry Smirnov <onlyjob@debian.org>: > On Sat, 23 Jan 2016 07:37:02 PM Thorsten Alteholz wrote: >> the Debian LTS team would like to fix the security issues which are >> currently open in the Squeeze version of cakephp: >> https://security-tracker.debian.org/tracker/CVE-2015-8379 >> >> Would you like to take care of this yourself? >> [...] >> If you don't want to take care of this update, it's not a problem, we >> will do our best with your package. Just let us know whether you would >> like to review and/or test the updated package before it gets released. > > Hi Thorsten, > > I won't be able to update (or test) CakePHP in Squeeze. Sorry. Please feel > free to do whatever is necessary to update CakePHP in Squeeze. Thanks. LTS support for Squeeze ended but now Wheezy is receiving updates from the LTS team. I have prepared an update for Wheezy's cakephp package fixing TEMP-0000000-698CF7, please see the diff attached. The fix could also be applied to Jessie's version. I don't provide a fix for CVE-2015-8379 because Wheezy's (and Jessie's) version is very different from 3.2.0 in which version upstream released a partial fix and back-porting all the code seems to be too risky. I have also opened #832283 for tracking the security issues in Sid and Stretch. If there is no objection I plan uploading the fixed package to wheezy-security next week and issue a DLA. Cheers, Balint PS: The packages are available for testing from: https://people.debian.org/~rbalint/ppa/wheezy-lts/wheezy-security/
Attachment:
cakephp_1.3.15-1+deb7u1.debdiff
Description: Binary data