Backport PHPMailer address validation #252
Conversation
Backport PHPMailer address validation
|
“Funny” that you didn’t took PHPMailer as an example in your recent blogpost. Here are some links:
Aka, why ownCloud people think they know better than the rest of the world. |
|
David. Funny that you don't consider the impact on this one. It's nearly non existant. But we certainly can get into an argument here where I point out all the fails happening on Debian's side. Believe me. They are worse, something like this here is barely a problem... |
|
I mean let's just take a look at http://metadata.ftp-master.debian.org/changelogs/main/o/owncloud/owncloud_7.0.4+dfsg-4~deb8u4_changelog There is stuff that we fixed in August and as per that page got into Debian in September. So, yes, I believe we know better and one always has to consider the impact that a specific vulnerability has. Especially also considering additional validations that are existent in core. And yes, I know you're unhappy given the fact that we don't share advisories until 14 days after the release but we know that our users are slow at updating and we don't need to make it even easier for scriptkiddies. If you just take our upstream TAR ball stuff would be so much easier. (also note that stable7 basically only receives stuff that you anyways want to backport! Those stuff usually can lead to dataloss!) In my perfect world we just place a TAR ball somewhere and this gets used. Less work for all involved and all happy. Yes, I know that this is against Debian policies but Debian policies are not my perfect world ;) David, I'm not the angry evil guy that you might imagine. I appreciate the work you do. It's just that ownCloud 7 has so many known bugs and some of the more important fixes are only in more recent versions. |
Ref PHPMailer/PHPMailer@6687a96