[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1523-1] New ikiwiki packages fix cross-site scripting

Axel Beckert said at 18/03/2008 14:56:
On Tue, Mar 18, 2008 at 10:00:18AM +0000, Ronny Adsetts wrote:
For the unstable distribution (sid), this problem has been fixed in
version 2.31.1.
Ehm, that's strange somehow since unstable, testing and even
etch-backports already have ikwiki 2.40:

See here for the fix which was in v 2.31.1:

That's not the question. The question is, why the security team
releases 2.31.1 as security update while 2.40 is the current version
and not only since a few days.

If the fix is already in 2.40, 2.40 shouldn't need a security update
and if 2.40 is vulnerable, 2.31.1 will never be installed as security
update. So why the lower version as security update? It just doesn't
seem to make sense.

My understanding is that the security team don't generally provide updates for unstable. The DSA simply notes the unstable version in which the security hole was fixed.

I assume in this case the DSA was prepared before the newer version was uploaded to unstable.

Can someone from the security team correct me if I'm wrong.

Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Registered office: UK House, 82 Heath Road, Twickenham TW1 4BW
Registered in England. Company No. 4042957

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: