Bug#815979: dotclear: New minor releases with security fixes

Fri, 26 Feb 2016 02:39:34 -0800 

Package: dotclear
Version: 2.8.0+dfsg-1
Severity: serious
Tags: security
Justification: security

  Hi,

  I'm using Debian packages of dotclear (a php blogs engine) for a few years.
For 6 months, the package do not change, and I did not get any anwser to
my previous bug reports, including an important one (#797055) that probably
prevent any one to use the Debian package as-is.
  I just see today that two minor releases have been published that
fix security bugs. From upstream webpage:
===========
News

2015 Oct 25 Dotclear 2.8.2

    A new maintenance release which fixes one potential XSS vulnerability in
comments's list and enforce media extension before upload[1] (thanks to Tim
Coen, Curesec Gmbh, for reporting them) and two...

2015 Sep 23 Dotclear 2.8.1

    A new maintenance release which fixes one potential XSS vulnerabilities
(thanks to Yuji Tounai of NTT Com Security (Japan) KK, via Keiko Yashiki from
JPCERT/CC) and two other bugfixes. Your dashboard...
===========

  I tagged this bug with a serious severity so that, if dotclear is not
maintained anymore, it will be removed from testing (so admins tracking testing
will be notified and can manually install the upstream versions). If dotclear
is still maintained (I hope for that), then an update must be done.

  Note that I do not know if the security bugs also apply or not to the
jessie version.

  Regards,
    Vincent

-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'squeeze-lts'), (500, 
'oldstable-updates'), (500, 'oldoldstable'), (500, 'unstable'), (500, 
'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, mipsel

Kernel: Linux 4.4.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dotclear depends on:
ii  apache2 [httpd]                        2.4.18-1
ii  dbconfig-common                        2.0.3
ii  debconf [debconf-2.0]                  1.5.58
pn  libapache2-mod-php5 | php5 | php5-cgi  <none>
ii  libjs-jquery                           1.11.3+dfsg-4
ii  libjs-jquery-cookie                    10-2
ii  libjs-jquery-ui                        1.10.1+dfsg-1
pn  php5-cli                               <none>
pn  php5-mysql | php5-pgsql | php5-sqlite  <none>
ii  sqlite3                                3.11.0-2

Versions of packages dotclear recommends:
ii  apache2 [httpd]                             2.4.18-1
pn  mysql-server | mariadb-server | postgresql  <none>

dotclear suggests no packages.

-- debconf information excluded

Reply via email to