On Mon, 16 Jan 2006, Will Lowe wrote: > Package: pine > Version: 4.62-1 > Severity: grave > Justification: user security hole > > http://www.washington.edu/pine/ says: > > Note: Install Pine 4.64, or later version, to fix a buffer overflow > problem. Read iDEFENSE Security Advisory for full details. > > The advisory is here: > > http://www.idefense.com/intelligence/vulnerabilities/display.php?id=313 > > Pine appears to use the UW-IMAP client-side IMAP library, which has a > bug that allows access to the system by the user running Pine. > > The version of Pine shipped in Sarge is 4.62 and I've seen no > security-related release to address this issue. I realize that Pine > is in non-free but we're leaving our users out to dry here ...
How exactly this is dangerous in *pine*? (not in the IMAP server) You gain access to the system if you are running pine? That would be a normal bug, IMHO, and therefore not the kind of bug that would deserve a report of grave severity. In either case, non-free sucks, and pine sucks even more. Since we don't distribute any .debs, apt-get upgrade will not magically fix anything. If I had to deal with this, I would tell users just to use the version in testing/unstable, which builds fine on stable, as they would have to build the new version themselves anyway. I'm Cc:ing the security team for their opinion. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
