Thank you very very much for this, Salvatore. Please prepare the NMU, but hold off on it for upstream's opinion. Also, please try to engage the security team. Unless you're part of it, of course ;-)
On Apr 22, 2013, at 11:02 AM, Salvatore Bonaccorso wrote: > Control: tags 702267 + patch > > Hi Michal > > On Thu, Apr 18, 2013 at 08:35:10AM +0200, Michal Trojnara wrote: >> This is a security vulnerability that may result in remote code >> execution. It should be fixed immediately. >> >> Current stunnel Debian package is based on stunnel 4.53. This upstream >> version is over a year old. >> >> Please update the package to stunnel 4.56. This version seems to be >> very stable. > > Unfortunately stunnel4 package cannot be updated to latest upstream > version due to the freeze and wheezy beeing relased very soon. So the > version based on 4.53 needs to be patched. > > I tried to extract the correspondig diff from 5.54 to 4.55 also based > on what Red Hat did[1]. > > [1]: http://rhn.redhat.com/errata/RHSA-2013-0714.html > > Does this looks good form your upstream point of view on it? > > Luis, can you work on it, else I can prepare the NMU as per debdiff. > > Regards, > Salvatore > <CVE-2013-1762.patch><stunnel4_4.53-1.1.debdiff> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
