On Mon, Dec 03, 2012 at 12:00:18PM +0100, Alessandro Ghedini wrote:
> forwarded 694999 http://code.google.com/p/cityhash/issues/detail?id=10
> kthxbye
>
> On Mon, Dec 03, 2012 at 08:22:47AM +0100, Moritz Muehlenhoff wrote:
> > Package: cityhash
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Hi,
>
> Hi,
>
> > please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6051
> >
> > I'm not sure if/when this was fixed upstream, so better contact upstream.
>
> I opened a ticket upstream but it doesn't appear to be fixed. It's not clear
> if
> Debian is affected though: the CVE was published 6 days after the 1.1.0
> release
> which partially reworked the hashing algorithms, but Debian currently has only
> the one-year-old 1.0.3 version (the sid version was reverted to 1.0.3
> yesterday), which may not be affected.
>
> Though, if 1.0.3 is affected and if 1.1.0 is the fix (or if the fix is based
> on
> it) I don't think it would be suitable for a wheezy upload, since the reworked
> algorithms are not retrocompatible (see #694916).
Given that there are no rdeps in Wheezy and cityhash hasn't been part of a
release it would make more sense to start with the reworked 1.1.0 version?
Even if it's late in the freeze.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
