Michal ??iha?? wrote: > Hi > > Dne Wed, 02 Jun 2010 19:52:49 +0200 > Moritz Muehlenhoff <j...@debian.org> napsal(a): > > > the following security issue was reported on the oss-security mailing > > list. We don't need to fix this in stable, but a fix for Squeeze might > > still be appropriate. > > I've just committed the fix into Git for 4.8.0 currently available in > experimental (it will go to unstable once Python 2.6 is default). > > Using rpm on Debian for installing binary packages is discouraged in > various ways,
Using any distribution using rpm for installing binary packages is discouraged ;-) > so the risk is not that high. Because of this I will > probably delay upload when more things will pop up (eg. Python 2.6 is > default in unstable). I agree the risk is negligable. There's also another issue reported for rpm, which has been assigned http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2197 : https://bugzilla.redhat.com/show_bug.cgi?id=125517 This seems like an issue which could also affect a typical use case of rpm in Debian. However, since the attack vector is very obscure I don't think we need to fix it in Lenny. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
