Package: heartbeat Severity: grave Tags: security Hi,
The following CVE (Common Vulnerabilities & Exposures) id was published for libtool. I see that heartbeat in unstable no longer embeds libtool, but it appears that etch and lenny still have it. I am not sure if it is actually used in the binary packages though. Please check. If those packages are not affected, please close the bug. CVE-2009-3736[0]: | ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, | attempts to open a .la file in the current working directory, which | allows local users to gain privileges via a Trojan horse file. Note that this problem also affects etch and lenny, so if your package is affected, please coordinate with the security team to release the DSA for the affected packages. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3736 http://security-tracker.debian.org/tracker/CVE-2009-3736 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
