Hi, On Sat, Dec 31, 2016 at 03:26:48PM +0100, Willi Mann wrote: > Hi Jean-Francois, > > Are you fine with attached patch? I saw that two other cmd_ functions > follow the same pattern, so they are probably also vulnerable, right?
Thanks for the notice. I have done some minor updates to the bug (adding tags, and found version for the jessie version). I have requested a CVE here: http://www.openwall.com/lists/oss-security/2016/12/31/2 Not sure yet if that would warrant a DSA, possibly it could be updated via the upcoming point release as well. Regards, Salvatore
