On Mon, Feb 11, 2013 at 11:41:13PM +0100, Moritz Mühlenhoff wrote: > On Mon, Feb 11, 2013 at 11:03:32PM +0100, Salvatore Bonaccorso wrote: > > On Sun, Feb 10, 2013 at 10:25:27AM -0500, James McCoy wrote: > > > On Sun, Jan 27, 2013 at 05:43:13PM +0100, Salvatore Bonaccorso wrote: ... > > The patches look they address the issue mentioned. What I've done: > > > > - Build both for Squeeze and unstable (debdiffs attached) > > > > - Installed zoneminder in a VM, confirmed that for both stable and > > unstable version zoneminder is vulnerable. > > > > - Installed the patched packages to verifiy the vulnerability. > > > > NOTE: I was not able to test setDeviceStatusX10 part, but the code fix > > is going the same by James: > > > > Security Team, how to proceed? Can/will a DSA be released for it? > > We should fix this in a DSA. > > Vagrant, James or Peter, can you do real-world testing of the proposed squeeze > package?
I should be able to dedicate some time to testing on squeeze and wheezy and hopefully upload tomorrow, although I don't have a setup where I can test the setDeviceStatusX10 part either. Peter, if you have some time to get the VCS repository ready and do some testing, I'd be more confident in being able to upload. Thanks everyone for the looking into this issue, and especially the patch. live well, vagrant -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
