Mantis and "difficult" upgrades (Was: Fedora Extras 3)
Jason L Tibbitts III
tibbs at math.uh.edu
Mon May 22 14:35:45 UTC 2006
A quick chat with the packager of mantis (which is responsible for
five open CVEs on FE3 and FE4) shows that updates to 1.0.3 are
forthcoming for FE5 (which should fix CVE-2006-1577) but there is no
clean update path for FE3 and FE4 due to schema changes. There are
supposedly some scripts which will do the necessary schema updates.
It looks like backporting anything would be unreasonable, although I
haven't looked closely at the source.
So, a dilemma:
1) Push a naive update and break systems, leaving the admins to run
the schema updates.
2) Run them automatically and hope they actually work.
3) Leave things as they are (insecure).
4) Work in earnest to try to backport patches or come up with our own
fixes.
The maintainer also suggested that we pull mantis from FE3, although
that can't do anything for existing installations. (He doubts there
are any.)
What to do?
- J<
More information about the Fedora-security-list
mailing list