On Fri, Oct 04, 2019 at 04:45:16PM +0200, Sylvain Beucler wrote: > Hi, > > The vulnerabilities are important and upstream does not provide any > fixed release. > This means all ampache installations (Debian and non-Debian) are at risk. > > It would be worth explaining the situation to upstream and requesting > his explicit stance on the matter. > > I believe this will make the decision easier, and contribute to raise > awareness about good security practices. > Someone already made such a request in the issue, to which the author responded with the 39k line commit and the list of "specific changes" buried therein. However, I am not opposed to making a more detailed and thorough request with rationale to see if that might yield some useful information.
Regards, -Roberto -- Roberto C. Sánchez
