>>>>> "DG" == Dennis Gilmore <dennis@xxxxxxxx> writes: DG> Bad if it could break things badly. better to make sure that the DG> admin is aware of what is needed. Could be ok with sufficient DG> testing I looked at the mantis source and it seems to be coded to handle this well. The login page (it's a bug tracker written in PHP) checks the database schema version and, if outdated, sends you to an upgrade page. If the CVEs are serious enough, just pushing the update may be the best course of action. Otherwise we can see if it's reasonable to run the update snippet in %post. >> 3) Leave things as they are (insecure). DG> Not good and another reason to EOL FE3 FE4 has precisely the same issue in this case, so it seems this is not an option. >> 4) Work in earnest to try to backport patches or come up with our >> own fixes. DG> May be best bet. It depends on the nature of the problem. It could require someone knowledgeable in both the operation of Mantis and PHP programming. Leaves me out. - J<
