On Fri, Dec 15, 2006 at 07:09:22PM +0100, Moritz Muehlenhoff wrote: > On 2006-12-14, Isaac Clerencia <isaac@debian.org> wrote: > > I've just uploaded a new moodle version which only includes a new > > patch for a XSS security problem. > > Isaac, this is the 34th security problem in Moodle since 2004. (Counting > by CVE assignments, many of them represent multiple security problems) > > It's already more or less unsupportable in Sarge (AFAICT fixes for about > a dozen vulnerabilities need to be analysed, extarcted and backported, > as upstream doesn't provide clean information; this is roughly 0.5-1 > man days of work) > > I don't think we should repeat the mistake to include it in a stable > release again. > Doh, I probably shoud have sent an update to you about this... I've worked with the maintainer lots on this, and upstream have made significant changes to their tracking and information systems to allow security updtes to be made easier. This has all happened in teh past couple of months, and the maintainer is part of their embargoed security list. So, I'm happy supporting this for etch if you are :) Neil -- <h01ger> I miss a computer physically... I can ping it, but don't know where it is...
Attachment:
signature.asc
Description: Digital signature