A security error CVE-2015-3935 was reported and is fixed into package 3.5.7.
Note that package 3.5.7 contains not only fixed for bugs reported to debian. It includes other fixes, but they are all related to stability or security,
so it is a better solution to validate this maintenance release than applying a patch of the only CVE-2015-3935.
After discussion with ..., it appears that security holes are enough to request this unblock request."
"
A security error CVE-2015-3935 was reported for Dolibarr ERP CRM package. This bug is fixed into official package 3.5.7 of Dolibarr.
Package 3.5.7 is a maintenance release compared to 3.5.5 and contains only fixes. But not only bugs reported to debian, it includes also other fixes (but they are all related to stability or security).
I think it is a better solution to validate this maintenance release based on the new upstream version of Dolibarr than applying a patch of the only CVE-2015-3935.
Pro are:
- It fixes all debian reported bugs (including security one)
- It fixes also stability bugs
- Patches were already tested because deployed and used by several thousands of users.
- It is easier for package maintener to include this official set of fixes than applying one patch after one patch for each debian report or backported each patch into a dedicated version.
- Debian maintenance version matches with official project maintenance version (better when all fixes are not related to the way the software is packaged)
Cons are:
- The patch include more than the only one security reported fxes
So I just need to know if it's ok to push such a version 3.5.7 (fixes for 3.5.* branch) instead of only one fix for only the few (the only) reported debian bugs,
since it provides more stability and is or me a more secured process.
