On Thu, 2008-03-27 at 13:13 +0100, Olivier Berger wrote: > Thanks for this confirmation Dave. > > I'll take care of the next steps with the Debian security team. > > Just a comment, on such security-wise issues, I think it would be safer > to use GPG signe messages, just for added security. >
That would require me to brute force the pass phrase on my gpg key > > Also, see more comments bellow. ditto > > Just so people are clear CVE-2007-4048 was not exploitable when running > > phpsysinfo from within phpGroupWare. > > Good news. Dunno if this is possible, but there are lots of reference to > that security problem in phpgroupware that may be worth tracking and > signaling as not accurate. We got on those lists thanks to Debian saying we were venerable and us pushing a release. The debian security team wanted it fixed "yesterday", so I did my best. Yes I should have verified it, but you assume they had done their homework before complaining so loudly. > > There isn't such a list. What I usually try to grab our packagers to > > let them know what is happening in advance - by a couple of hours. I am > > happy to try to provide security only patches on request, or give you a > > list of svn revision/s to grab. > > > > At the moment, is there such a list concerning 0.9.16.012 ? ... or at > least fixes not related to security on that branch (I've seen a couple, > I think). The list is in my sent items folder :) As for what is/isn't security related in 0.9.16.x - everything added since 0.9.16.012 isn't security related AFAIK. Cheers Dave _______________________________________________ phpGroupWare-developers mailing list [email protected] http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
