Hi László! On Fri, May 22, 2015 at 08:14:16AM +0200, László Böszörményi (GCS) wrote: > Hi Salvatore, > > On Fri, May 22, 2015 at 6:48 AM, Salvatore Bonaccorso <car...@debian.org> > wrote: > > ntfs-3g in jessie and above is similarly affected by CVE-2015-3202 > > since ntfs-3g since 1:2013.1.13AR.3-2 builds with internal fuse copy. > Ouch. I plan to patch the Sid version and change the build system to > use the system FUSE library.
Jep that would be great. i don't know the reason why it was switched back in 1:2013.1.13AR.3-2 so hopefully it can be done without problems for sid. > > The patch I have used to prepare the updates for jessie is attached. > I just got the DAK email for Jessie. Wheezy is not affected I guess, > will check. Yes, wheezy does not use the internal library. But while updating jessie I also added the patch to wheezy and explained that resulting binary packages are not affected, see https://lists.debian.org/debian-security-announce/2015/msg00159.html > > > ntfs-3g though should try to use the system fuse and not the embedded > > copy, could you check to switch this back? > Sure thing. The internal copy may contain some fixes over the > official source, but I'll check this as well. I'm away from home, but > will be back in ten hours. Thanks for your work on this then! Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
