[pkg-horde] Bug#464058: [horde-vendor] Bug#464058: turba access checking issue
Chuck Hagenbuch
chuck at horde.org
Mon Feb 18 23:26:38 UTC 2008
Quoting Gregory Colpart <reg at evolix.fr>:
> Thanks a lot for your final patches. Turba 2.1.7 is already in
> Debian unstable distribution. But for Debian stable and
> oldstable, I can't upload version 2.1.7: I need backport
> security changes. Could you review my backported patches?
>
> - Patch for Turba 2.1.4 (Debian stable):
> http://gcolpart.evolix.net/debian/turba2/turba2_2.1.3-1_2.1.3-1etch1.diff
>
> - Patch for Turba 2.0.2 (Debian oldstable):
> http://gcolpart.evolix.net/debian/turba2/turba2_2.0.2-1_2.0.2-1sarge1.diff
I don't feel qualified without a _lot_ more time to review the 2.0.x
patch; that is very, very different from the current code.
The 2.1.4 patch seems to have a bunch of extra stuff in it - I would
just do the changes to Group.php, sql.php, and browse.php. If you're
also including different fixes those would have to be reviewed
separately - those changes are a bit harder to follow.
> Note: FYI, Debian security team requested CVE id for this security issue.
We got the report from you, so unless you created one I don't think
there is one. Or do you mean that they started the process of creating
one from CVE?
-chuck
More information about the pkg-horde-hackers
mailing list