On Thu, Jan 22, 2015 at 06:00:54PM +0100, Christoph Berg wrote:
> Re: To Debian Bug Tracking System 2015-01-22
> <20150122161925.ga23...@msg.df7cb.de>
> > Source: xymon
> > Version: 4.3.17-1
> > Severity: grave
> > Tags: security patch pending
> >
> > web/acknowledge.c uses a string twice in a format string, but only
> > allocates memory for one copy. The attached patch fixes this.
>
> Fwiw, the CGI is only accessible for authenticated admin users, so the
> consequences of the issue aren't as bad as they could be.
I think it's sufficient if we fix this in a point update, can you take
care of that?
Has this been forwarded upstream? Since it's public we cannot assign
a CVE from the Debian CNA pool any more, so this will need to go through
the oss-security mailing list.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
