On Tue, Jan 27, 2015 at 12:34:09PM +0100, Axel Beckert wrote: > Hi Moritz, > > Moritz Mühlenhoff wrote: > > I think it's sufficient if we fix this in a point update, can you take > > care of that? > > Do you think of Jessie or Wheezy? As far as I can see, Wheezy is > not affected: > https://sources.debian.net/src/xymon/4.3.0%7Ebeta2.dfsg-9.1/web/bb-ack.c/#L248
I hadn't checked the status in jessie yet, but I just did and you're right: Wheezy/Squeeze is not affected. For jessie we can follow the usual upload/unblock procedure. > > Has this been forwarded upstream? > > Christoph told me on IRC that upstream is aware of it and has patched > it in SVN, too. I just digged around in upstream's SVN repository and > I think this is the upstream fix: > http://sourceforge.net/p/xymon/code/7483/ > > Actually upstream fixed it in his latest release (4.3.18, September > 2014) according to SVN: > http://sourceforge.net/p/xymon/mailman/message/32876426/ > > But that version was never released, neither on SourceForge > (http://sourceforge.net/projects/xymon/files/Xymon/) nor on the web > page (https://www.xymon.com/) as both still list 4.3.17 as most recent > release -- which is also the reason why I only discovered now that > there actually is a new upstream release. > > On the mailing list there is a thread asking about the status of > 4.3.18 and someone found a tar ball at https://www.xymon.com/patches/. > At least the FreeBSD port maintainer doesn't seem to consider that one > "official" according to > http://lists.xymon.com/archive/2014-November/040653.html Ok, I'll request a CVE on oss-security. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
