On Fri, Feb 26, 2016 at 11:38:03AM +0100, Vincent Danjean wrote: > Package: dotclear > Version: 2.8.0+dfsg-1 > Severity: serious > Tags: security > Justification: security > > Hi, > > I'm using Debian packages of dotclear (a php blogs engine) for a few years. > For 6 months, the package do not change, and I did not get any anwser to > my previous bug reports, including an important one (#797055) that probably > prevent any one to use the Debian package as-is. > I just see today that two minor releases have been published that > fix security bugs. From upstream webpage: > =========== > News > > 2015 Oct 25 Dotclear 2.8.2 > > A new maintenance release which fixes one potential XSS vulnerability in > comments's list and enforce media extension before upload[1] (thanks to Tim > Coen, Curesec Gmbh, for reporting them) and two... > > 2015 Sep 23 Dotclear 2.8.1 > > A new maintenance release which fixes one potential XSS vulnerabilities > (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from > JPCERT/CC) and two other bugfixes. Your dashboard... > =========== > > I tagged this bug with a serious severity so that, if dotclear is not > maintained anymore, it will be removed from testing (so admins tracking > testing > will be notified and can manually install the upstream versions). If dotclear > is still maintained (I hope for that), then an update must be done.
2.5 months later still no change, let's remove it from the archive? Cheers, Moritz