Bug#776458: unblock: dolibarr/3.5.5+dfsg1-1

[Raphael Hertzog <hertzog@debian.org>]

Hi,

On Sun, 08 Feb 2015, Ivo De Decker wrote:
> On Wed, Jan 28, 2015 at 09:50:30AM +0100, Raphael Hertzog wrote:
> > Please unblock package dolibarr
> 
> > Version 3.5.5+dfsg1-1 fixes a security issue: CVE-2014-7137 (Closes: #770313)
> 
> This bug was filed by the security team as 'grave', but downgraded by the
> maintainer to 'important' without explanation. If the issue is actually grave,
> the severity should be increased again.

Well, the maintainer explained (to me only apparently) that the issue is
only exploitable with privileged accounts so that the threat is not very
high and I thus instructed him that it's his reponsibility to downgrade
the bug if he doesn't want the packages to be removed from Jessie.

Later the security team contacted him about this CVE and asked him to
request an unblock because it would be better to release Jessie without
an open CVE on dolibarr.

> The diff is very large, and it probably contains lots of changes that are not
> appropriate at this point of the freeze. If you think this is not the case,
> please explain why.

It's certainly the case, but the package is a leaf package and the fixed
version has been well tested in sid. 

The package maintainer is also the upstream author.

> A targeted fix for this issue is probably better.

I don't see what a targeted fix brings us given that the only risk of
regression is in dolibarr itself (and Dolibarr is maintained).

Laurent, what's you opinion? Would you be willing to prepare a targeted fix?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/