Re: Bug#508257: Bug#508256: please remove twiki from lenny

[Sven Dowideit <SvenDowideit@home.org.au>]

Sadly, the upstream fix doesn't address the root cause of the url
parameter problem (and we've reported to them at least one exploit that
is unfixed by their patch), and I'm working on the Foswiki fork of
twiki, which is addressing the security issues we know about in what I
consider a more thorough way,

 I have not had time to do more serious work on TWiki - including the
debian package.

Unless someone steps in to work more actively on the packaging, I would
have to agree that its better to remove TWiki from Debian at this point.


Sven


Florian Weimer wrote:
> * Dominic Hargreaves:
>
>   
>> I'm disappointed that the code execution isn't hasn't been addressed
>> (in testing or stable) but upstream do provide a trivial patch for
>> the version of twiki we have in Debian. If I was to NMU this (I've
>> already applied it manually on my system) would this mitigate the
>> need to remove twiki?
>>     
>
> We'd rather see someone testing a more complete patch (collecting
> fixes for all the reported problems) on a production system.
>
>
>