Thanks for reporting this. I'm not able to look at the issue this weekend.
Can you please let me know if it has been reported upstream or if you have a moment could you file the report in the upstream bug tracker at http://www.xtuple.org ? I don't believe the package is in stable, but it is in testing and backports On 14/02/15 15:30, Luciano Bello wrote: > Package: openrpt > Severity: important > Tags: security patch > > The security team received a report from the CERT Coordination Center that > the > Henry Spencer regular expressions (regex) library contains a heap overflow > vulnerability. It looks like this package includes the affected code at > that's > the reason of this bug report. > > The patch is available here: > http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c > > Please, can you confirm if the binary packages are affected? Are stable and > testing affected? > > More information, here: > http://www.kb.cert.org/vuls/id/695940 > https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/ > > A CVE id has been requested already and the report will be updated with it > eventually. > > Cheers, luciano > > _______________________________________________ > pkg-xtuple-maintainers mailing list > pkg-xtuple-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-xtuple-maintainers -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
