From: smcv Date: Tue, 14 Apr 2015 17:33:32 +0000 (-0400) Subject: yes Debian wheezy is vulnerable, a proposed-update is queued X-Git-Tag: 3.20150610~103^2~1 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/8ad932efd511376c3a9889b40a8fb16e2ba5e9a3 yes Debian wheezy is vulnerable, a proposed-update is queued --- diff --git a/doc/bugs/XSS_Alert...__33____33____33__.mdwn b/doc/bugs/XSS_Alert...__33____33____33__.mdwn index c44ab0971..cb9618777 100644 --- a/doc/bugs/XSS_Alert...__33____33____33__.mdwn +++ b/doc/bugs/XSS_Alert...__33____33____33__.mdwn @@ -41,3 +41,13 @@ raghav007bisht@gmail.com > Are versions `3.20120629` or `3.20130904.1~bpo70+1` vulnerable? (`wheezy` and > `wheezy-backports`, respectively) — [[Jon]] + +>> 3.20120629 is vulnerable; fixed in 3.20120629.2, which is in the proposed-updates +>> queue (the security team declined to issue a DSA). The blogspam plugin doesn't +>> work in wheezy either; again, a fix is in the proposed-updates queue. +>> +>> 3.20130904.1~bpo70+1 is almost certainly vulnerable, it looks as though someone +>> has done a drive-by backport but not kept it updated. None of ikiwiki's Debian +>> maintainers are involved in that backport; the .deb from jessie (or even from +>> experimental) works fine on wheezy without recompilation. I use the latest +>> upstream release from experimental on my otherwise-Debian-7 server. --[[smcv]]