Re: oldstable: mt-daapd update addressing #555231
On Wed, 11 Nov 2009 23:02:23 +0100 Julien BLACHE wrote:
> "Adam D. Barratt" wrote:
>
> Hi,
>
> > How big is the diff from prototype 1.4.0 (as used in the current
> > package) to 1.6.1? The bug report mentions that patches fixing the two
>
> Don't know, I haven't even looked. There were other issues before those
> two I believe, and they never got fixed. I know that the web interface
> works just fine with 1.6.1 so upgrading to 1.6.1 is not an issue.
>
> > CVEs are available, although I wasn't entirely clear as to whether they
> > apply to 1.4.0 or not.
>
> My bet is they don't; 1.4.0 is pretty ancient now.
the prototype.js CVEs do apply to 1.4.0.
> > The bug log also mentions that you were planning to upload a fixed
> > package to oldstable-security; is that no longer the case?
>
> Re-reading the report, it doesn't actually ask for a security upload. I
> have no preference for security vs. opu, although I don't think this
> issue is worth a security upload given mt-daapd is not a web app, which
> reduces the scope of the vulnerabilities considerably IMO.
from the security team's perspective, there are way too many
packages affected by the prototype.js flaw to issue DSAs for all of
them, so they all will/should be handled via stable-proposed-updates.
mike
Reply to: