Re: Bug#471158: ships embedded copy of smarty with security bug
Hi!
Copy to debian-release because this question is rather a question to
the release team, even though it's extremely late and hope is pretty low
...
* Thijs Kinkhorst <thijs@debian.org> [2008-03-19 20:15:43 CET]:
> On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
> > So, would an NMU *not* covering the security issue interfere with a
> > security update ?
> >
> > Again, I'd be happy to do the ecurity update but I need a patch. I
> > tried to have a look at the issue but it requires skills I don't have.
>
> You would not interfere with any work from our (security team) point of view.
> Moodle does not use the code of this specific vulnerability so no patch is
> needed.
>
> The bug itself stays open until the embedded smarty code has been removed,
> because a next smarty bug could of course affect moodle.
Thijs, do I perceive it correctly that you just forgot to lower the
severity of this bugreport? From what I see this bug doesn't really
justify keeping moodle out of the release. Unfortunately this hasn't get
addressed in months (noone tracking this package seem to actually have
cared?!) so I would be surprised if the release team would allow it back
into lenny.
On the other hand, the package hasn't changed at all since then, and
that it got removed because of this bugreport which was mistakenly left
at high severity seems like it had been an unfortunate error itself,
too. Would it be possible to get moodle back into lenny given that the
only reason (to my knowledge) was this mistakenly high severe set
bugreport and no other serious or higher bugreports were filed against
this package in months?
Thanks for responses,
Rhonda
Reply to: