Hi, On Sat, May 07, 2016 at 11:30:27PM +0200, Moritz Mühlenhoff wrote: > On Fri, Feb 26, 2016 at 11:38:03AM +0100, Vincent Danjean wrote: > > Package: dotclear > > Version: 2.8.0+dfsg-1 > > Severity: serious > > Tags: security > > Justification: security > > > > Hi, > > > > I'm using Debian packages of dotclear (a php blogs engine) for a few > > years. > > For 6 months, the package do not change, and I did not get any anwser to > > my previous bug reports, including an important one (#797055) that probably > > prevent any one to use the Debian package as-is. > > I just see today that two minor releases have been published that > > fix security bugs. From upstream webpage: > > =========== > > News > > > > 2015 Oct 25 Dotclear 2.8.2 > > > > A new maintenance release which fixes one potential XSS vulnerability in > > comments's list and enforce media extension before upload[1] (thanks to Tim > > Coen, Curesec Gmbh, for reporting them) and two... > > > > 2015 Sep 23 Dotclear 2.8.1 > > > > A new maintenance release which fixes one potential XSS vulnerabilities > > (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki > > from > > JPCERT/CC) and two other bugfixes. Your dashboard... > > =========== > > > > I tagged this bug with a serious severity so that, if dotclear is not > > maintained anymore, it will be removed from testing (so admins tracking > > testing > > will be notified and can manually install the upstream versions). If > > dotclear > > is still maintained (I hope for that), then an update must be done. > > 2.5 months later still no change, let's remove it from the archive?
I think this sounds sensible. Since then as well other issues have been found: http://www.openwall.com/lists/oss-security/2016/05/04/9 ( does not yet have a CVE). The last upload to the archive was back in august of 2015. Regards, Salvatore