Hi Holger, hi Steve, On Fri, 24 Feb 2017 11:24:42 +0000 Holger Levsen <hol...@layer-acht.org> wrote: > On Fri, Feb 24, 2017 at 01:37:55AM -0800, mejo- wrote: > > I just gave 2.0.6 (from Debian/Wheezy) a try and indeed it's > > vulnerable too. > > The proposed patch by Tomaž Šolc from Debian Bugreport #855705 > > fixes this particular vulnerability. > > thanks, mejo, for confirming this both!
I already prepared 2.0.6-4+deb7u3 with Thomaž' patch for wheezy-security. As Steve announced an upstream fix for the 2.4 branch for today, I waited some longer with the upload. On Thu, 23 Feb 2017 19:24:20 +0100 Steve Schnepp <steve.schn...@munin-monitoring.org> wrote: > The patch is indeed quite minimal, and address the issue. It therefore > looks very ok to me. > > Note that I did not plan to take it as is, but use the 2.999.x code > snippet instead which doesn't have the bug. > > I'll plan to do a secfix upstream release tomorrow so you'll have the > choice of which patch you take ;-) Steve, do you still plan to do the upstream fix anytime soon? Also, as you intend to backport the changes from munin 2.999, I gusss that your fix will be much more intrusive, right? I'm inclined to upload munin 2.0.6-4+deb7u3 with Thomaž' patch to wheezy-security tomorrow. Holger, do you take care of the upload to unstable yourself? Probably there a straightforward patch (without too much new code) would be good as well, to simplify/speed up the transition to Stretch. Cheers, jonas
signature.asc
Description: OpenPGP digital signature
