[Secure-testing-team] Please unblock gallery 1.5.9-1

Adeodato Simó dato at net.com.org.es
Sat Oct 4 21:53:01 UTC 2008 

CCing maintainer, who was dropped from the discussion.

* Moritz Muehlenhoff [Sat, 04 Oct 2008 22:28:15 +0200]:

> On Tue, Sep 30, 2008 at 11:34:30AM +0100, Neil McGovern wrote:
> > On Mon, Sep 29, 2008 at 10:41:15AM -0400, Michael Schultheiss wrote:
> > > Please unblock gallery 1.5.9-1.  This is a security release that fixed
> > > CVE-2008-3662 and CVE-2008-4129.  The CVE's were not listed in the
> > > changelog since I did not know the CVE numbers when the package was
> > > built.


> > Gah.
> > Images have changed, $Id$ changes and whitespace formatting, as well as things like:

> > -               $gallery->user->canCreateSubAlbum($gallery->album)) {
> > +                       $gallery->user->canCreateSubAlbum($gallery->album))
> > +               {

> > Some pofiles also seem to have dissapeared.

> > This all leads to:
> >  828 files changed, 43756 insertions(+), 431897 deletions(-)

> > I'm not reviewing this, sorry.

> > s-t team: if someone can do so, I'll hint it in. Otherwise, I'll need a DTSA please.

> This has happened for previous Gallery releases before and in fact many
> issues are still open in Etch:

>    gallery2            [45]CVE-2008-4129        medium
>                        [46]CVE-2008-1066        low
>                        [47]CVE-2008-2720        low
>                        [48]CVE-2008-2721        low
>                        [49]CVE-2008-2722        low
>                        [50]CVE-2008-2723        low
>                        [51]CVE-2008-2724        low
>                        [52]CVE-2007-6685
>                        [53]CVE-2007-6686
>                        [54]CVE-2007-6687
>                        [55]CVE-2007-6688
>                        [56]CVE-2007-6689
>                        [57]CVE-2007-6690
>                        [58]CVE-2007-6691
>                        [59]CVE-2007-6692
>                        [60]CVE-2007-6693
>                        [61]CVE-2008-3662
>                        [62]CVE-2008-4130

> Unless there's more effort by upstream and the maintainer to address this 
> by isolated patches and more detailed descriptions of vulnerabilities
> we should rather drop Gallery from Lenny.

> (We already discussed this internally in the Security Team in July for previous
> and came to the conclusion it should rather be removed unless the situation
> improves).

> Cheers,
>         Moritz



-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                                        Listening to: Pastora - Invasión

More information about the Secure-testing-team mailing list