found 439226 0.20-2 found 439226 0.29-1 notfound 439226 0.31-1 thanks Hi,
On Thu, Aug 23, 2007 at 02:27:03PM +0200, [EMAIL PROTECTED] wrote: > Hi, > > A security issue has been reported against your package po4a: > > > lib/Locale/Po4a/Po.pm in po4a before 0.32 allows local users to overwrite > > arbitrary files via a symlink attack on the gettextization.failed.po > > temporary file. > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4462 > It seems the new upstream 0.32 fixes this. > > Please mention the CVE id in the changelog when fixing this. > Also please check whether stable and oldstable are vulneable and coordinate > with the security team. This was fixed in Debian's 0.31-1 stable and oldstable are vulnerable. The fix for this bug is quite simple: replacing $pores->write("/tmp/gettextization.failed.po"); by $pores->write("gettextization.failed.po"); Security Team, shall I prepare packages with this fix and upload to stable-security and oldstable-security? Kind Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
