On Wed, May 09, 2012 at 12:03:28AM +0200, Cajus Pollmeier wrote: > Hi, > > looks like this one: > > https://issues.apache.org/jira/browse/QPID-3652 > > which - according to the bug itself affects 0.12. Comparing the diff > from > > https://reviews.apache.org/r/2988/diff/#index_header > > makes me wonder, because the changes are not present in 0.14, but in the > upcoming 0.16 release. RedHat itself used the CVE to update from 0.12 to > 0.14 - with a ~2MiB patch which includes the changes mentioned above. > > So my short midnight conclusion is that the fix is not included in the > upstream 0.14 release and is therefor not included in the Debian > packages currently in testing and unstable. > > I'm not sure how this is handled, because qpid is not in stable. There > are a couple of compiling issues open that were caused by the GCC 4.7 > migration, that will make it hard to re-compile the 0.14 without adding > several patches. Because we're not in "stable", I personally tend to > wait for the final 0.16 release that is sadly a couple of days late. It > fixes this issue - and also the compilation problems. > > How to deal with this?
Red Hat writes this in https://bugzilla.redhat.com/show_bug.cgi?id=747078#c7 > This flaw only affects the clustered implementation in qpid-cpp > (qpidd-cpp-server-cluster) which is only available in Red Hat Enterprise MRG. > The qpid-cpp-server as provided with Red Hat Enterprise Linux 6 does not > include this functionality, and is thus not affected. Maybe this cluster functionality is specific to Red Hat oder not yet available in the Debian package? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
