Bug#815979: dotclear: New minor releases with security fixes
Hi, On Sat, May 07, 2016 at 11:30:27PM +0200, Moritz Mühlenhoff wrote: > On Fri, Feb 26, 2016 at 11:38:03AM +0100, Vincent Danjean wrote: > > Package: dotclear > > Version: 2.8.0+dfsg-1 > > Severity: serious > > Tags: security > > Justification: security > > > > Hi, > > > > I'm using Debian packages of dotclear (a php blogs engine) for a few > > years. > > For 6 months, the package do not change, and I did not get any anwser to > > my previous bug reports, including an important one (#797055) that probably > > prevent any one to use the Debian package as-is. > > I just see today that two minor releases have been published that > > fix security bugs. From upstream webpage: > > === > > News > > > > 2015 Oct 25 Dotclear 2.8.2 > > > > A new maintenance release which fixes one potential XSS vulnerability in > > comments's list and enforce media extension before upload[1] (thanks to Tim > > Coen, Curesec Gmbh, for reporting them) and two... > > > > 2015 Sep 23 Dotclear 2.8.1 > > > > A new maintenance release which fixes one potential XSS vulnerabilities > > (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki > > from > > JPCERT/CC) and two other bugfixes. Your dashboard... > > === > > > > I tagged this bug with a serious severity so that, if dotclear is not > > maintained anymore, it will be removed from testing (so admins tracking > > testing > > will be notified and can manually install the upstream versions). If > > dotclear > > is still maintained (I hope for that), then an update must be done. > > 2.5 months later still no change, let's remove it from the archive? I think this sounds sensible. Since then as well other issues have been found: http://www.openwall.com/lists/oss-security/2016/05/04/9 ( does not yet have a CVE). The last upload to the archive was back in august of 2015. Regards, Salvatore
Bug#815979: dotclear: New minor releases with security fixes
On Fri, Feb 26, 2016 at 11:38:03AM +0100, Vincent Danjean wrote: > Package: dotclear > Version: 2.8.0+dfsg-1 > Severity: serious > Tags: security > Justification: security > > Hi, > > I'm using Debian packages of dotclear (a php blogs engine) for a few years. > For 6 months, the package do not change, and I did not get any anwser to > my previous bug reports, including an important one (#797055) that probably > prevent any one to use the Debian package as-is. > I just see today that two minor releases have been published that > fix security bugs. From upstream webpage: > === > News > > 2015 Oct 25 Dotclear 2.8.2 > > A new maintenance release which fixes one potential XSS vulnerability in > comments's list and enforce media extension before upload[1] (thanks to Tim > Coen, Curesec Gmbh, for reporting them) and two... > > 2015 Sep 23 Dotclear 2.8.1 > > A new maintenance release which fixes one potential XSS vulnerabilities > (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from > JPCERT/CC) and two other bugfixes. Your dashboard... > === > > I tagged this bug with a serious severity so that, if dotclear is not > maintained anymore, it will be removed from testing (so admins tracking > testing > will be notified and can manually install the upstream versions). If dotclear > is still maintained (I hope for that), then an update must be done. 2.5 months later still no change, let's remove it from the archive? Cheers, Moritz
Bug#815979: dotclear: New minor releases with security fixes
Package: dotclear Version: 2.8.0+dfsg-1 Severity: serious Tags: security Justification: security Hi, I'm using Debian packages of dotclear (a php blogs engine) for a few years. For 6 months, the package do not change, and I did not get any anwser to my previous bug reports, including an important one (#797055) that probably prevent any one to use the Debian package as-is. I just see today that two minor releases have been published that fix security bugs. From upstream webpage: === News 2015 Oct 25 Dotclear 2.8.2 A new maintenance release which fixes one potential XSS vulnerability in comments's list and enforce media extension before upload[1] (thanks to Tim Coen, Curesec Gmbh, for reporting them) and two... 2015 Sep 23 Dotclear 2.8.1 A new maintenance release which fixes one potential XSS vulnerabilities (thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from JPCERT/CC) and two other bugfixes. Your dashboard... === I tagged this bug with a serious severity so that, if dotclear is not maintained anymore, it will be removed from testing (so admins tracking testing will be notified and can manually install the upstream versions). If dotclear is still maintained (I hope for that), then an update must be done. Note that I do not know if the security bugs also apply or not to the jessie version. Regards, Vincent -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'squeeze-lts'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, mipsel Kernel: Linux 4.4.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dotclear depends on: ii apache2 [httpd]2.4.18-1 ii dbconfig-common2.0.3 ii debconf [debconf-2.0] 1.5.58 pn libapache2-mod-php5 | php5 | php5-cgi ii libjs-jquery 1.11.3+dfsg-4 ii libjs-jquery-cookie10-2 ii libjs-jquery-ui1.10.1+dfsg-1 pn php5-cli pn php5-mysql | php5-pgsql | php5-sqlite ii sqlite33.11.0-2 Versions of packages dotclear recommends: ii apache2 [httpd] 2.4.18-1 pn mysql-server | mariadb-server | postgresql dotclear suggests no packages. -- debconf information excluded