[development] Fwd: [SECURITY] [DSA 1125-1] New drupal packages
fix execution of arbitrary web script code
Neil McGovern
neilm at debian.org
Fri Jul 28 19:43:02 UTC 2006
On Thu, Jul 27, 2006 at 02:12:13PM -0400, Darrel O'Pry wrote:
> On Thu, 2006-07-27 at 09:56 +0100, Neil McGovern wrote:
> > On Wed, Jul 26, 2006 at 09:25:27PM -0400, James Walker wrote:
> > >
> > > AFAIK, there isn't an active Debian maintainer for Drupal... killes?
> >
> > That would be me. I also produced the security update.
> >
> > Further info on plans with regard to drupal can be found at
> > http://lists.alioth.debian.org/pipermail/pkg-drupal-devel/2006-July/000005.html
> >
> > Sid should include 4.7.2 shortly, which should propogate to etch in time
> > for the release, and I intend to remove the 2.5 packages as soon as
> > possible.
>
> I'm personally of the opinion that php apps shouldn't generally be
> packaged by distros because of the upgrade issues and the fact that it
> isn't really a compiled binary aka not dependent on the rest of the
> distributions libraries. But splitting the packages by version and
> letting the distro's users deal with the upgrade path seems like a good
> idea.
>
One of the advantages of packaging WebApps by distributions is the
security support that is provided with it. There are additional problems
associated with WebApps, and I'm a co-author on the Debian WebApps
Policy draft[0] and gave a BoF[1] at DebConf[2] about it.
Cheers,
Neil
[0] http://webapps-common.alioth.debian.org/draft/
[1] http://tinyurl.com/fwqhj (ogg thedora video)
[2] The annual debian developer's conference
--
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
gpg key - http://www.halon.org.uk/pubkey.txt ; the.earth.li B345BDD3
More information about the development
mailing list