Recai Okta? wrote:
> Debdiff is attached and here is the new changelog for your convenience:
>
> elog (2.5.7+r1558-4+sarge1) stable-security; urgency=critical
>
> * Major security update (big thanks to Florian Weimer)
> + Backport r1333 from upstream's Subversion repository:
> "Fixed crashes with very long (revisions) attributes"
> + Backport r1335 from upstream's Subversion repository:
> "Applied patch from Emiliano to fix possible buffer overflow"
> + Backport r1472 from upstream's Subversion repository:
> "Do not distinguish between invalid user name and invalid password
> for security reasons"
> + Backport r1487 from upstream's Subversion repository:
> "Fixed infinite redirection with ?fail=1"
> + Backport r1529 from upstream's Subversion repository:
> "Fixed bug with fprintf and buffer containing "%""
> [Our patch just eliminates the format string vulnerability.]
> + Backport r1620 from upstream's Subversion repository:
> "Prohibit '..' in URLs" [CVE-2006-0347]
> + Backport r1635 and r1642 from upstream's Subversion repository:
> "Fixed potential buffer overflows" [CVE-2005-4439]
>
> Let me know whether it is fine and I'll make the upload to stable-security
> (right?).
Thanks, it looks good, please upload.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
