Hi,
looks like this one:
https://issues.apache.org/jira/browse/QPID-3652
which - according to the bug itself affects 0.12. Comparing the diff
from
https://reviews.apache.org/r/2988/diff/#index_header
makes me wonder, because the changes are not present in 0.14, but in
the upcoming 0.16 release. RedHat itself used the CVE to update from
0.12 to 0.14 - with a ~2MiB patch which includes the changes mentioned
above.
So my short midnight conclusion is that the fix is not included in the
upstream 0.14 release and is therefor not included in the Debian
packages currently in testing and unstable.
I'm not sure how this is handled, because qpid is not in stable. There
are a couple of compiling issues open that were caused by the GCC 4.7
migration, that will make it hard to re-compile the 0.14 without adding
several patches. Because we're not in "stable", I personally tend to
wait for the final 0.16 release that is sadly a couple of days late. It
fixes this issue - and also the compilation problems.
How to deal with this?
Am 08.05.2012 19:40, schrieb Moritz Muehlenhoff:
Package: qpid-cpp
Severity: grave
Tags: security
The following was reported for qpid-cpp:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3620
I'm not sure if this affects the Debian package, please investigate.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
