Re: [Secure-testing-team] Please unblock gallery 1.5.9-1
On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote:
> On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:
> > Please unblock gallery 1.5.9-1. This is a security release that fixed
> > CVE-2008-3662 and CVE-2008-4129. The CVE's were not listed in the
> > changelog since I did not know the CVE numbers when the package was
> > built.
> >
>
> Gah.
> Images have changed, $Id$ changes and whitespace formatting, as well as things like:
>
> - $gallery->user->canCreateSubAlbum($gallery->album)) {
> + $gallery->user->canCreateSubAlbum($gallery->album))
> + {
>
> Some pofiles also seem to have dissapeared.
>
> This all leads to:
> 828 files changed, 43756 insertions(+), 431897 deletions(-)
>
> I'm not reviewing this, sorry.
>
> s-t team: if someone can do so, I'll hint it in. Otherwise, I'll need a DTSA please.
This has happened for previous Gallery releases before and in fact many
issues are still open in Etch:
gallery2 [45]CVE-2008-4129 medium
[46]CVE-2008-1066 low
[47]CVE-2008-2720 low
[48]CVE-2008-2721 low
[49]CVE-2008-2722 low
[50]CVE-2008-2723 low
[51]CVE-2008-2724 low
[52]CVE-2007-6685
[53]CVE-2007-6686
[54]CVE-2007-6687
[55]CVE-2007-6688
[56]CVE-2007-6689
[57]CVE-2007-6690
[58]CVE-2007-6691
[59]CVE-2007-6692
[60]CVE-2007-6693
[61]CVE-2008-3662
[62]CVE-2008-4130
Unless there's more effort by upstream and the maintainer to address this
by isolated patches and more detailed descriptions of vulnerabilities
we should rather drop Gallery from Lenny.
(We already discussed this internally in the Security Team in July for previous
and came to the conclusion it should rather be removed unless the situation
improves).
Cheers,
Moritz
Reply to: