[Secure-testing-team] kompozer tracking
Moritz Muehlenhoff
jmm at inutil.org
Wed Sep 2 17:07:17 UTC 2009
On Tue, Sep 01, 2009 at 11:16:12PM -0400, Michael S Gilbert wrote:
> Guiseppe,
>
> in the process of doing the embedded code copies triage, i've come
> across a lot of cases where tracking for kompozer is not done. i
> understand that this package is relatively new, but since it is derived
> from existing code, it should be checked retroactively for
> vulnerabilities. it looks like the code is copied from
> firefox/thunderbird 2.0.0.20 (according to
> './mozilla/browser/config/version.txt' and other version files, but
> that could be wrong).
>
> i see that you are the maintainer; can you go through all of the cves
> affecting iceape and either tag kompozer not-affected or fixed? this
> would help me out a lot since you are already familiar with the
> package, and i have a lot of other issues to look at. thanks.
I don't think we'll be covering kompozer with security support in
Squeeze. Most of the issues that affect a browser are moot, since
kompozer is used for creating web content, not viewing content from
potentially untrusted sources. We can either track it as unimportant
or remove it from CVE/list altogether.
Guiseppe, you should probably include a README.Debian.security to
indicate the status.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list