Comment 13 for bug 345263

Hi,

AFAIK, we have 3 options:
- sync the 4 missing packages (php-mdb2, php-mdb2-driver-mysql, php-mdb2-driver-pgsql and php-mdb2-driver-sqlite) from unstable
- Go back to 0.1.1-10, which is the previous version in Jaunty (and in etch backports), and try to patch the vulnerabilities marked as fixed in 0.2.1
- Try to patch 0.2 to use db instead of mdb2

the last option is not rally an option, as we will diverge from upstream and debian, and will require a lot of test to be sure everything is working fine.

For option 2, here are the vulnerabilities that are referenced in the changelog of 0.2.1, and appears as fixed since 0.1.1-10:
* Fix a vulnerability in the use of preg_replace (Closes: #508628).
  This is fixed by dont-use-preg-e-option.patch in 0.1.1-10

* Fix a vulnerability in quota image generation. This fixes CVE-2008-5620. Thanks to Nico Golde for reporting it. Closes: #509596.
  This is fixed by cve-2008-5620.patch in 0.1.1-10

* Apply fix for XSS issue (CVE-2009-0413). Closes: #514179.
This patch can't be applied as the file program/lib/washtml.php doesn't even exist in 0.1.1. According to Debian bug #514179, this won't be fixed in 0.1.1 (as well as a lot of others vulnerabilities).

* Version 0.2.1 Remove patch correcting a vulnerability in html2text.php.
This is a 0.2 only problem

* Version 0.2.1 Remove patch fixing login issue. This is fixed upstream.
The patch log-failed-logins.patch can be adapted to be applied to 0.1.1-10, but what it really does is just logging the failed logins.