Re: [Secure-testing-team] Please unblock gallery 1.5.9-1
CCing maintainer, who was dropped from the discussion.
* Moritz Muehlenhoff [Sat, 04 Oct 2008 22:28:15 +0200]:
> On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote:
> > On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:
> > > Please unblock gallery 1.5.9-1. This is a security release that fixed
> > > CVE-2008-3662 and CVE-2008-4129. The CVE's were not listed in the
> > > changelog since I did not know the CVE numbers when the package was
> > > built.
> > Gah.
> > Images have changed, $Id$ changes and whitespace formatting, as well as things like:
> > - $gallery->user->canCreateSubAlbum($gallery->album)) {
> > + $gallery->user->canCreateSubAlbum($gallery->album))
> > + {
> > Some pofiles also seem to have dissapeared.
> > This all leads to:
> > 828 files changed, 43756 insertions(+), 431897 deletions(-)
> > I'm not reviewing this, sorry.
> > s-t team: if someone can do so, I'll hint it in. Otherwise, I'll need a DTSA please.
> This has happened for previous Gallery releases before and in fact many
> issues are still open in Etch:
> gallery2 [45]CVE-2008-4129 medium
> [46]CVE-2008-1066 low
> [47]CVE-2008-2720 low
> [48]CVE-2008-2721 low
> [49]CVE-2008-2722 low
> [50]CVE-2008-2723 low
> [51]CVE-2008-2724 low
> [52]CVE-2007-6685
> [53]CVE-2007-6686
> [54]CVE-2007-6687
> [55]CVE-2007-6688
> [56]CVE-2007-6689
> [57]CVE-2007-6690
> [58]CVE-2007-6691
> [59]CVE-2007-6692
> [60]CVE-2007-6693
> [61]CVE-2008-3662
> [62]CVE-2008-4130
> Unless there's more effort by upstream and the maintainer to address this
> by isolated patches and more detailed descriptions of vulnerabilities
> we should rather drop Gallery from Lenny.
> (We already discussed this internally in the Security Team in July for previous
> and came to the conclusion it should rather be removed unless the situation
> improves).
> Cheers,
> Moritz
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Pastora - Invasión
Reply to: