[Bug 5297] Re: [Bug 5297] Re: [Bug 5297] Re: Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities

[Wouter Hanegraaff]

One of the things to keep in mind, is that currently the packages in 
hoary and breezy use a 0.8.x version. When upgrading to a 0.9 series, 
the database schema has to be converted. For my own use, I backported a 
0.9.x package to hoary some time ago, and after the upgrade I had to 
maually convert the database schema for each project. This didn't cause 
any further problems, but is makes the upgrade a bit more complicated 
than one would expect when installing a security update. However, 
backporting all security fixes is probably a lot of work for a 
relatively small group of users.

Possibly, the database schema upgrade could be handled by the postinst 
script, but that doesn't change the fact that the upgrade from 0.8.x to 
0.9.x is an upgrade to a new upstream version and not just a security fix.

Maybe the latest 0.9.x version should be backported and placed in 
-updates, since this would provide users with an upgrade path to a 
secure version. That leaves the default versions in hoary and breezy 
vulnerable, though.

Wouter

-- 
Trac 0.9.1 and 0.9.2 to fix SQL injection vulnerabilities, 0.9.3 – XSS vulnerabilities
https://launchpad.net/bugs/5297