CCed to Debian security team, as I notice that the version of web2py in
jessie is the same version as in wheezy, so presumably they will have
the same issues.
Brian May <email@example.com> writes:
> I am inclined to think that the code has changed so much since the
> wheezy version, that the current vulnerablities are unlikely to be
> Even if you take the view that they are unless proven otherwise, and you
> can positively identify the concerned patches (upstream doesn't appear
> to be helping yet here), I don't think it is going to be feasible to
> backport these changes to wheezy, due to the sigificant code base
Wondering what to do from here. I guess the options are:
1. Wait longer for upstream response.
2. Try backporting jessie version to wheezy and adding security fixes.
3. Try backporting stretch version to wheezy.
4. Try backporting sid version to wheezy.
5. Make web2py as unsupported in wheezy.
Scratch option 2, the versions are the same in Jessie and Wheezy - both
Scratch option 3, the package isn't in stretch. Probably due to an
outstanding RC bug
For option 4, wheezy/jessie has version 1.99.7-1 and sid has 2.12.3-1
(latest upstream version is 2.14.6) - I imagine upgrading this might
have compatability issues. Not to mention that RC bug concerning
Considering this won't be in the next release of Debian, I am inclined
to pick option 5.
Brian May <firstname.lastname@example.org>
- From: Brian May <email@example.com>