On Sat, Feb 19, 2005 at 01:27:12PM +0100, Thijs Kinkhorst wrote: > Jeroen, > > One solution to this is just use absolute path names. In that case we know > for sure that the file will be found there and the security hole keeps > being closed. A "real" fix has been made in SquirrelMail 1.2.7 but that's > too much code change for an update to stable. > > Are you ok with this fix?
Didn't review it yet, so no opinion yet. > We can probably only upload it if someone ever discoveres a new security > hole in squirrelmail-1.2.6, right? If we really broke something in a security update (regression), we can usually fix that up, even if there is no other security fix found. That's what a DSA XXX-2, etc, are for. The idea of a security fix in Debian is that the change will be so that no existing legitimate uses will stop working, if possible. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
