Re: FWD: Squirrelmail XSS + SQL security bug?
On Mon, Jul 05, 2004 at 10:57:16PM +0200, Jeroen van Wolffelaar wrote:
> I've done a squirrelmail NMU in fruitful cooperation with one of the
> upstream squirrelmail maintainers, former stable release manager Thijs
> Kinkhorst, who happens to also be a personal friend of mine.
Thanks ver ymuch for your efforts.
Would Thijs Kinkhorst be willing to act as a point of contact for the Debian
Security Team on squirrelmail issues? I think Debian would benefit greatly
from such a resource.
> I'm forwarding this conversation to him, in the hope that he can comment
> on it. Since he is a Debian user himself, I'm sure he understands our
> situation, but of course, I don't know how much time he'd like to allocate
> for the 1.2.x branch that's in woody now -- don't count on anything.
I do not expect him to spend time directly on the 1.2.x branch. It is
enough to provide specific information about the vulnerabilities: that is,
sufficient information for us to understand which code is affected and the
nature of the fix. The patches used in the 1.4.x series (or pointers to the
relevant CVS commits) are ideal. Given this information, we can adapt the
fix as necessary to 1.2.x.
We do not expect upstream to do our backporting work for us, only to
cooperate with us by providing the information needed to make it possible.
> Meanwhile, I guess it'd be useful to have specific references to issues...
> Adam, do you have them? Anyway, I'll ask Thijs about the 1.4.x issues, and
> get back to it (in private if there are unsolved issues involved).