On Thu, 2014-01-23 at 07:02 +0100, Helmut Grohne wrote: > On Wed, Jan 22, 2014 at 09:41:41PM +0100, Tino Mettler wrote: > > Btw., don't expect me to fix this for oldstable, which is the version > > you use. As far as I can see, the script is only used at build time. > > The issue is reported against oldstable, because it is the oldest > relevant version applicable. I agree that fixing a build issue for > stable or oldstable is probably not worth the effort. > > CVE-2014-1639 was assigned to this issue. Please mention the identifier > in the changelog when fixing.
Thanks for reporting this. My first CVE - not sure whether I should be ashamed or proud ;-} At least I am in good company (http://seclists.org/oss-sec/2014/q1/138). Tino, I finally finished packaging 1.3.99.7 yesterday and will announce it today if final, manual testing goes well. I can put any fix into 1.4. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
