Re: [SECURITY] [DSA 1523-1] New ikiwiki packages fix cross-site scripting
Hi,
On Tue, Mar 18, 2008 at 10:00:18AM +0000, Ronny Adsetts wrote:
> >>For the unstable distribution (sid), this problem has been fixed in
> >>version 2.31.1.
> >
> >Ehm, that's strange somehow since unstable, testing and even
> >etch-backports already have ikwiki 2.40:
> >
> >http://packages.debian.org/ikiwiki
>
> See here for the fix which was in v 2.31.1:
That's not the question. The question is, why the security team
releases 2.31.1 as security update while 2.40 is the current version
and not only since a few days.
If the fix is already in 2.40, 2.40 shouldn't need a security update
and if 2.40 is vulnerable, 2.31.1 will never be installed as security
update. So why the lower version as security update? It just doesn't
seem to make sense.
Regards, Axel
--
Axel Beckert - abe@deuxchevaux.org, abe@noone.org - http://noone.org/abe/
Reply to: