CCed to Debian security team, as I notice that the version of web2py in jessie is the same version as in wheezy, so presumably they will have the same issues.
Brian May <[email protected]> writes: > I am inclined to think that the code has changed so much since the > wheezy version, that the current vulnerablities are unlikely to be > applicable. > > Even if you take the view that they are unless proven otherwise, and you > can positively identify the concerned patches (upstream doesn't appear > to be helping yet here), I don't think it is going to be feasible to > backport these changes to wheezy, due to the sigificant code base > differences. > > https://github.com/web2py/web2py/issues/1585#issuecomment-284320439 Wondering what to do from here. I guess the options are: 1. Wait longer for upstream response. 2. Try backporting jessie version to wheezy and adding security fixes. 3. Try backporting stretch version to wheezy. 4. Try backporting sid version to wheezy. 5. Make web2py as unsupported in wheezy. Any others? Scratch option 2, the versions are the same in Jessie and Wheezy - both have 1.99.7-1. Scratch option 3, the package isn't in stretch. Probably due to an outstanding RC bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842303. For option 4, wheezy/jessie has version 1.99.7-1 and sid has 2.12.3-1 (latest upstream version is 2.14.6) - I imagine upgrading this might have compatability issues. Not to mention that RC bug concerning licensing. Considering this won't be in the next release of Debian, I am inclined to pick option 5. Any comments? -- Brian May <[email protected]>
