Thanks for this confirmation Dave. I'll take care of the next steps with the Debian security team.
Just a comment, on such security-wise issues, I think it would be safer to use GPG signe messages, just for added security. Also, see more comments bellow. Best regards, Le jeudi 27 mars 2008 à 10:45 +0000, Dave Hall a écrit : > Hi Olivier, > > I thought I would reply publicly here in addition to my email last night > my time. > SNIP > Just so people are clear CVE-2007-4048 was not exploitable when running > phpsysinfo from within phpGroupWare. Good news. Dunno if this is possible, but there are lots of reference to that security problem in phpgroupware that may be worth tracking and signaling as not accurate. > In 0.9.16.012 you got an updated > (and more secure) version of phpsysinfo. > That wouldn't hurt for sure ;) > > Btw, if there's a security related list, it may be worth being on board > > as soon as possible to be able to prepare patchs and so on for the > > Debian package... > > There isn't such a list. What I usually try to grab our packagers to > let them know what is happening in advance - by a couple of hours. I am > happy to try to provide security only patches on request, or give you a > list of svn revision/s to grab. > At the moment, is there such a list concerning 0.9.16.012 ? ... or at least fixes not related to security on that branch (I've seen a couple, I think). Best regards, -- Olivier BERGER <[EMAIL PROTECTED]> (*NEW ADDRESS*) http://www-inf.it-sudparis.eu/~olberger/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM / TELECOM & Management SudParis (http://www.it-sudparis.eu/), Evry _______________________________________________ phpGroupWare-developers mailing list [email protected] http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
