Manuel Prinz wrote:
> Hi Michael!
>
> Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
>> The following CVE (Common Vulnerabilities & Exposures) id was
>> published for libtool. I have determined that this package embeds a
>> vulnerable copy of the libtool source code. However, since this is a
>> mass bug filing (due to so many packages embedding libtool), I have not
>> had time to determine whether the vulnerable code is actually present
>> in any of the binary packages. Please determine whether this is the
>> case. If the binary packages are not affected, please feel free to close
>> the bug with a message containing the details of what you did to check.
>
> AIUI, only the versions in squeeze and sid (identical) are affected. We
> did not have static library support in the versions in etch and lenny,
> so there are no .la files contained in the packages and they therefore
> should not be vulnerable.
>
> I'm preparing a fix at the moment, which I can upload soon. I'd like to
> know with which priority to upload, and where. The ST suggests urgency
> of "medium", but I'm unsure which queue to use. As I understand dev-ref,
> an upload to ftp-master should suffice since {old,}stable is not
> affected. (Sorry, first CVE…)
As only sid and squeeze are affected, uploading with medium urgency to
unstable should be enough.
Cheers
Luk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
