This bug was fixed in the package click -
0.4.40+15.10.20151006-0ubuntu1.1

---------------
click (0.4.40+15.10.20151006-0ubuntu1.1) wily; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Patch thanks to Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <ja...@ubuntu.com>  Thu, 15 Oct 2015 11:13:36 -0500

** Changed in: click (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1479001

Title:
  Older version of a user installed click is not updated by custom or
  base pre-installed clicks with a more recent version

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1479001/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to