Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Mon, 11 Oct 2010 09:46:04 -0500, Jordon Bedwell wrote:
> On Mon, 2010-10-11 at 10:40 -0400, Michael Gilbert wrote:
> > The problem here appears to be the jump to the new upstream version
> > (1.8.2 to 1.8.13), which has a different dependency set.  New
> > upstreams are usually disallowed in security uploads.  The question
> > is why was that OK in this case, rather than the standard backporting
> > approach?
> 
> Perhaps there was more to this "security problem" than they're telling
> us?

I highly doubt that there is anything malicious going on here, and there
is always the "Debian does not hide problems" mantra.  The simplest,
and most-likely explanation is that it was easier to update to the new
upstream, rather than attempt to backport fixes for 11 separate issues.

Best wishes,
Mike