Comment 11 for bug 5297
Revision history for this message
| Wouter Hanegraaff (wouter-blub) wrote Re: [Bug 5297] Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities | #11 |
One of the things to keep in mind, is that currently the packages in
hoary and breezy use a 0.8.x version. When upgrading to a 0.9 series,
the database schema has to be converted. For my own use, I backported a
0.9.x package to hoary some time ago, and after the upgrade I had to
maually convert the database schema for each project. This didn't cause
any further problems, but is makes the upgrade a bit more complicated
than one would expect when installing a security update. However,
backporting all security fixes is probably a lot of work for a
relatively small group of users.
Possibly, the database schema upgrade could be handled by the postinst
script, but that doesn't change the fact that the upgrade from 0.8.x to
0.9.x is an upgrade to a new upstream version and not just a security fix.
Maybe the latest 0.9.x version should be backported and placed in
-updates, since this would provide users with an upgrade path to a
secure version. That leaves the default versions in hoary and breezy
vulnerable, though.
Wouter