Re: Bug#471158: ships embedded copy of smarty with security bug

To: "Gerfried Fuchs" <rhonda@deb.at>
Cc: 471158@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: Bug#471158: ships embedded copy of smarty with security bug
From: "Thijs Kinkhorst" <thijs@debian.org>
Date: Mon, 6 Oct 2008 12:05:21 +0200 (CEST)
Message-id: <de48f4e5611faf8558d1db76bae4d247.squirrel@wm.kinkhorst.nl>
In-reply-to: <20081006091203.GA25809@edna.gwendoline.at>
References: <200803161220.40057.thijs@debian.org> <20080316191256.GU4755@mykerinos.kheops.frmug.org> <20080319174523.GD19875@mykerinos.kheops.frmug.org> <200803192015.45585.thijs@debian.org> <20081006091203.GA25809@edna.gwendoline.at>

On Mon, October 6, 2008 11:12, Gerfried Fuchs wrote:
> Hi!
>
>
> Copy to debian-release because this question is rather a question to
> the release team, even though it's extremely late and hope is pretty low
> ...
>
>
> * Thijs Kinkhorst <thijs@debian.org> [2008-03-19 20:15:43 CET]:
>
>> On Wednesday 19 March 2008 18:45, Christian Perrier wrote:
>>
>>> So, would an NMU *not* covering the security issue interfere with a
>>> security update ?
>>>
>>> Again, I'd be happy to do the ecurity update but I need a patch. I
>>> tried to have a look at the issue but it requires skills I don't have.
>>>
>>
>> You would not interfere with any work from our (security team) point of
>> view. Moodle does not use the code of this specific vulnerability so no
>> patch is needed.
>>
>> The bug itself stays open until the embedded smarty code has been
>> removed, because a next smarty bug could of course affect moodle.
>
> Thijs, do I perceive it correctly that you just forgot to lower the
> severity of this bugreport? From what I see this bug doesn't really justify
> keeping moodle out of the release. Unfortunately this hasn't get addressed
> in months (noone tracking this package seem to actually have cared?!) so I
> would be surprised if the release team would allow it back into lenny.
>
> On the other hand, the package hasn't changed at all since then, and
> that it got removed because of this bugreport which was mistakenly left at
> high severity seems like it had been an unfortunate error itself, too.
> Would it be possible to get moodle back into lenny given that the
> only reason (to my knowledge) was this mistakenly high severe set bugreport
> and no other serious or higher bugreports were filed against this package
> in months?

I'm not sure where you see that the severity is unjustified? As far as I
know it still contains and uses an embedded code copy which is present as
a separate package in the archive. I think that is a serious issue and
don't see why it should go unresolved.

It has a similar problem with libphp-phpmailer. It has an XSS bug open
without any action for months. It has had three NMU's in a row.  It's
currently orphaned, new maintainership is there but is only just starting
up as it seems.

There are many more open security issues in stable:
http://security-tracker.debian.net/tracker/source-package/moodle

Security issues are frequent in this package so it needs an active
maintainer to keep up with it, which it currently hasn't got.


Thijs

Reply to:

Follow-Ups:
- Re: Bug#471158: ships embedded copy of smarty with security bug
  - From: Gerfried Fuchs <rhonda@deb.at>
- Re: Bug#471158: ships embedded copy of smarty with security bug
  - From: Raphael Geissert <atomo64+debian@gmail.com>

References:
- Re: Bug#471158: ships embedded copy of smarty with security bug
  - From: Gerfried Fuchs <rhonda@deb.at>

Prev by Date: Re: Bug#471158: ships embedded copy of smarty with security bug
Next by Date: Re: Bug#471158: ships embedded copy of smarty with security bug
Previous by thread: Re: Bug#471158: ships embedded copy of smarty with security bug
Next by thread: Re: Bug#471158: ships embedded copy of smarty with security bug
Index(es):
- Date
- Thread