package geoip-database-update severity 760688 normal thanks On Sun, Sep 21, 2014 at 4:25 PM, Ludovico Cavedon <cave...@debian.org> wrote: >> 2. file update has race conditions: >> - file is removed and later downloaded >> - file decompresion is in place, this exposes partial file to user >> >> 3. file download-update is not safe: wget can get redirect and name file >> with any name. >> so in /usr/share/GeoIP can be found files like index.html and others...
Actually these issues are already fixed in version 1.9 - the decompression is not in place but to a temporary file - the output filename -O option is already passed to wget (so no arbitrary filename) - the .dat is not removed before downloading (although it is removed before renaming the new one, so there is a race condition that I am fixing). The security issue that was raising the severity to critical is not there, so I am downgrading it to "normal" and will provide an upload soon. Cheers, Ludovico -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
