[Pkg-mediawiki-devel] Bug#685324: Local File Inclusion Vulnerability in contrib script

Steven Chamberlain steven at pyro.eu.org
Mon Aug 20 03:12:10 UTC 2012 

tags 685324 + moreinfo unreproducible
tags 685323 + moreinfo unreproducible
merge 685324 685323
severity 685326 wishlist
merge 685326 584251
thanks

Hi,

Were these reports of security issues supposed to be genuine?

Or was this simply your "idea on how to get them to update GeSHi". [1]

You refer to vulnerabilities in unspecified "contrib" scripts, but it
seems to me that Debian does not even ship them in the php-geshi package.


"Debian who STILL believes the most recent version is 1.0.8.4", actually
identifies the latest version as 1.0.8.10 on the PTS [2], with a link to
the source tarball, and that will surely update within a few hours to
indicate the new 1.0.8.11 release.

Yes, you already filed a wishlist bug asking for someone to package the
new version, so there was no reason to file a new 'serious'-severity
duplicate just now demanding the same.

It seems to me you are in fact wasting the time of whoever would
potentially package your software, of developers busy fixing serious
issues to make the next Debian release happen, and of the security team,
who would be kindly looking after users for the package's 2-3 year term
in stable/oldstable.


Some users really prefer long-term, unchanging versions, because they
deploy lots of software that they don't want to have to review for
what's changed, update it, re-test and check compatibility on a regular
basis.  Debian's stable distribution fulfills that need.

The freeze deadline has already passed, for someone to have
_volunteered_ to update the GeSHi package in time for the Wheezy release
process.  The only exception now might be for a genuine security fix or
serious flaw (which would probably be only a minimal patch for the
specific issue),

It is possible for more frequent updates to be packaged in testing or
backports, for example to support new programming languages, but it
would require continued effort on the part of a volunteer maintainer.
That person would have had to process your bug reports too.

[1] http://blog.benny-baumann.de/?p=1297

[2] http://packages.qa.debian.org/g/geshi.html

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org

More information about the Pkg-mediawiki-devel mailing list