On Sat, Nov 22, 2008 at 03:13:43PM +0100, Eckhart Wörner wrote:
> Package: quassel
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Quassel version in Debian is vulnerable to IRC command injection as described
> in http://www.frsirt.com/english/advisories/2008/3164
> Updated packages are already available at http://quassel.irc.org/ , according
> to quassel developers a backport for the fix is also available.
I've been looking at the upstream homepage for a patch and upstream
describes the Debian package as "hopelessly outdated and unmaintained"
and point to an external build. As such, it should likely be dropped
from Lenny rather than fixed. It can be brought into proper shape for
Squeeze (more recent packages are already available on mentors.debian.net)
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
