Re: please remove twiki from lenny
On Sun, Dec 21, 2008 at 02:14:45PM +0100, Nico Golde wrote:
> please remove the twiki package from testing. twiki is a
> regular candidate for security issues that pop up.
> Currently it has two security issues unfixed (one[0] enables an
> attacker to do code execution) and there was lately no
> progress on fixing the bug. For the other issue[1] there
> is also hardly any movement.
>
> As we are not even in sync with the upstream versions I
> doubt we can properly support twiki with security fixes
> during the lenny lifecycle.
>
> [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508257
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508256
I'm disappointed that the code execution isn't hasn't been addressed (in
testing or stable) but upstream do provide a trivial patch for the
version of twiki we have in Debian. If I was to NMU this (I've already
applied it manually on my system) would this mitigate the need to remove
twiki? The danger of removing it is that people will then have
completely unmaintained versions of twiki sitting on their systems.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: