[Sorry for all the personal copies, just making sure the message is actually read]
Thijs Kinkhorst wrote: > > I'm not sure where you see that the severity is unjustified? As far as I > know it still contains and uses an embedded code copy which is present as > a separate package in the archive. I think that is a serious issue and > don't see why it should go unresolved. > > It has a similar problem with libphp-phpmailer. It has an XSS bug open > without any action for months. It has had three NMU's in a row. It's > currently orphaned, new maintainership is there but is only just starting > up as it seems. Moodle was the source of my inspiration for some recent additions to lintian (credits for the yahoo js check go to Chris Lamb, IIRC): $ lintian -C files moodle_1.8.2-1.3_all.deb | g embedded W: moodle: embedded-php-library usr/share/moodle/lib/adodb/adodb.inc.php W: moodle: embedded-javascript-library usr/share/moodle/lib/editor/tinymce/jscripts/tiny_mce/tiny_mce.js W: moodle: embedded-javascript-library usr/share/moodle/lib/editor/tinymce/jscripts/tiny_mce/tiny_mce_popup.js W: moodle: embedded-javascript-library usr/share/moodle/lib/editor/tinymce/jscripts/tiny_mce/tiny_mce_src.js W: moodle: embedded-php-library usr/share/moodle/lib/phpmailer/class.phpmailer.php W: moodle: embedded-php-library usr/share/moodle/lib/smarty/Smarty.class.php W: moodle: embedded-php-library usr/share/moodle/lib/smarty/Smarty_Compiler.class.php W: moodle: embedded-javascript-library usr/share/moodle/lib/yui/yahoo-dom-event/yahoo-dom-event.js W: moodle: embedded-javascript-library usr/share/moodle/lib/yui/yahoo/yahoo-min.js W: moodle: embedded-javascript-library usr/share/moodle/lib/yui/yahoo/yahoo.js PS. Thijs, this is an indirect way to point you (and the other security team & related folks) to the new embedded code copies checks in lintian; HTH. > > There are many more open security issues in stable: > http://security-tracker.debian.net/tracker/source-package/moodle > > Security issues are frequent in this package so it needs an active > maintainer to keep up with it, which it currently hasn't got. > > > Thijs > > Cheers, -- Atomo64 - Raphael Please avoid sending me Word, PowerPoint or Excel attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
