On Fri, Feb 26, 2016 at 11:38:03AM +0100, Vincent Danjean wrote:
> Package: dotclear
> Version: 2.8.0+dfsg-1
> Severity: serious
> Tags: security
> Justification: security
>
> Hi,
>
> I'm using Debian packages of dotclear (a php blogs engine) for a few years.
> For 6 months, the package do not change, and I did not get any anwser to
> my previous bug reports, including an important one (#797055) that probably
> prevent any one to use the Debian package as-is.
> I just see today that two minor releases have been published that
> fix security bugs. From upstream webpage:
> ===========
> News
>
> 2015 Oct 25 Dotclear 2.8.2
>
> A new maintenance release which fixes one potential XSS vulnerability in
> comments's list and enforce media extension before upload[1] (thanks to Tim
> Coen, Curesec Gmbh, for reporting them) and two...
>
> 2015 Sep 23 Dotclear 2.8.1
>
> A new maintenance release which fixes one potential XSS vulnerabilities
> (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from
> JPCERT/CC) and two other bugfixes. Your dashboard...
> ===========
>
> I tagged this bug with a serious severity so that, if dotclear is not
> maintained anymore, it will be removed from testing (so admins tracking
> testing
> will be notified and can manually install the upstream versions). If dotclear
> is still maintained (I hope for that), then an update must be done.
2.5 months later still no change, let's remove it from the archive?
Cheers,
Moritz
