From: Martin H. <mar...@si...> - 2016-01-23 17:08:46
|
Dear Rene, > Please. > Ideally including which versions are affected (in my case I'd need to patch > 1.1.3 and 1.2.4) and which patches fix it... There are no patches against 1.2.4 or 1.1.3. Both of these should be upgraded to 1.3.5 which has a compatible interface with all previous versions. If it doesn't then we will work to address that. I'm afraid we have not kept track of precisely which patches provide security level bug fixes and there are a lot between 1.1.3 and 1.3.5. In addition, the code has changed a lot between those versions such that identifying which security bugs apply on which version of the code and even whether the bug fix works in that context is a difficult path to take. Instead it's easier just to upgrade the library. The project's policy is to ensure backward compatibility at the API level, but not at the feature level. We also don't separate security bug fixes from feature bug fixes. Sometimes the category is easy to identify but often it is not. Yours, Martin |