Alvaro Herrera
2008-Jun-05 22:27 UTC
[Secure-testing-team] Bug#484728: roundup: security hole: CVE-2008-1475
Package: roundup Version: 1.4.4 Severity: grave Tags: security Justification: user security hole I see that there isn''t a fix for Debian for this bug: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475 http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788 Apparently, the Debian version is thus vulnerable. -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, ''testing''), (500, ''unstable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core) Locale: LANG=es_CL.utf8, LC_CTYPE=es_CL.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
Thijs Kinkhorst
2008-Jun-06 04:51 UTC
[Secure-testing-team] Bug#484728: roundup: security hole: CVE-2008-1475
Hi Alvaro, On Friday 6 June 2008 00:27, Alvaro Herrera wrote:> I see that there isn''t a fix for Debian for this bug: > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475 > http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=3 >1577&atid=402788 > > Apparently, the Debian version is thus vulnerable.Thank you for this report. The version in Debian stable is not vulnerable because the code was introduced in 1.4.0. However, the version in testing/sid has the most recent changelog entry predating the report of the security bug you mention and I see no other evidence that it has indeed been fixed, so I''ve marked it as unfixed in our tracker and it will hopefully be dealt with soon. cheers, Thijs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 481 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080606/0cd632e3/attachment.pgp