Hi, sql-ledger just has another CVE[0]. Looking at the reports of the security issue and the discussion[1] in the BTS to me it is not really clear why documenting that this package is not supported by the security team is an option but removing it not. There are really alot of sql injection bugs in sql-ledger, there is a fork[2] where engaged people fix such stuff and there are 66 installations referring to popcon. So why not just removing this software and file an RFP for ledgersmb? I agree that writing this in the sql-ledger documentation would be better like the current state but people tend to don''t read documentation (or package tags) and this does not make the code itself more secure. Kind regards Nico [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446366 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=409703 [2] http://www.ledgersmb.org/ -- Nico Golde - http://ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071012/d3474609/attachment.pgp