On Fri, Oct 04, 2019 at 11:53:14AM -0400, Roberto C. Sánchez wrote: > On Fri, Oct 04, 2019 at 04:45:16PM +0200, Sylvain Beucler wrote: > > Hi, > > > > The vulnerabilities are important and upstream does not provide any > > fixed release. > > This means all ampache installations (Debian and non-Debian) are at risk. > > > > It would be worth explaining the situation to upstream and requesting > > his explicit stance on the matter. > > > > I believe this will make the decision easier, and contribute to raise > > awareness about good security practices. > > > Someone already made such a request in the issue, to which the author > responded with the 39k line commit and the list of "specific changes" > buried therein. However, I am not opposed to making a more detailed and > thorough request with rationale to see if that might yield some useful > information. > I have commented on the upstream GitHub issue with a request for assistance from the author. I am inclined to wait perhaps a week for a reply. If no reply is received, or a negative reply, then it would seem that declaring ampache unsupported might be the only alternative. If the author is willing to help, then a new assessment can be made based on the scope of the changes.
Regards, -Roberto -- Roberto C. Sánchez
