yes Debian wheezy is vulnerable, a proposed-update is queued

author smcv <smcv@web>

Tue, 14 Apr 2015 17:33:32 +0000 (13:33 -0400)

committer admin <admin@branchable.com>

Tue, 14 Apr 2015 17:33:32 +0000 (13:33 -0400)
author smcv <smcv@web>
Tue, 14 Apr 2015 17:33:32 +0000 (13:33 -0400)
committer admin <admin@branchable.com>
Tue, 14 Apr 2015 17:33:32 +0000 (13:33 -0400)
diff --git a/doc/bugs/XSS_Alert...__33____33____33__.mdwn b/doc/bugs/XSS_Alert...__33____33____33__.mdwn

index c44ab0971dfa7f69e0dc5c2ec8444793099fa7d9..cb9618777f824e67c8f9b2648fae8940fcc12182 100644 (file)
--- a/doc/bugs/XSS_Alert...__33____33____33__.mdwn
+++ b/doc/bugs/XSS_Alert...__33____33____33__.mdwn
@@ -41,3 +41,13 @@ raghav007bisht@gmail.com
  
  > Are versions `3.20120629` or `3.20130904.1~bpo70+1` vulnerable? (`wheezy` and
  > `wheezy-backports`, respectively) — [[Jon]]
+
+>> 3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates
+>> queue (the security team declined to issue a DSA). The blogspam plugin doesn't
+>> work in wheezy either; again, a fix is in the proposed-updates queue.
+>>
+>> 3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone
+>> has done a drive-by backport but not kept it updated. None of ikiwiki's Debian
+>> maintainers are involved in that backport; the .deb from jessie (or even from
+>> experimental) works fine on wheezy without recompilation. I use the latest
+>> upstream release from experimental on my otherwise-Debian-7 server. --[[smcv]]
author	smcv <smcv@web>
	Tue, 14 Apr 2015 17:33:32 +0000 (13:33 -0400)
committer	admin <admin@branchable.com>
	Tue, 14 Apr 2015 17:33:32 +0000 (13:33 -0400)