severity 407519 important thanks On Fri, 19 Jan 2007, Marc Fargas wrote: > severity critical > tags +patch > thanks > > The current Django versión in Debian has a security hole, so this bug > should be critical, and the patch recommended by the submitter should be > applied and brought to etch, I think.
If I understand the bug correctly, the filename of the .po must be modified to include commands with backticks... in other word, the malicious intent is easily recognisable. I expect that in 99,9% of the time, the person starting compile-messages just copied/installed the .po files where required... and he certainly would notice that the filename look very strange compared to the other files ! So I really don't agree with severity critical... which brings to the point that you shouldn't change the severity without justifying your statement. "has a security hole" is a bit short without explaining a likely case of security breach. In particular, when upstream has not considered the risk serious enough to warrant a point release... Of course, I'd like to hear opinions from others. Regards, -- Raphaël Hertzog Premier livre français sur Debian GNU/Linux : http://www.ouaza.com/livre/admin-debian/
