This bug was fixed in the package click - 0.4.40+15.10.20151006-0ubuntu1.1 --------------- click (0.4.40+15.10.20151006-0ubuntu1.1) wily; urgency=medium
* SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that can be used to install alternate security policy than what is defined - click/install.py: Forbid installing packages with data tarball members whose names do not start with "./". Patch thanks to Colin Watson. - CVE-2015-XXXX - LP: #1506467 -- Jamie Strandboge <ja...@ubuntu.com> Thu, 15 Oct 2015 11:13:36 -0500 ** Changed in: click (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1479001 Title: Older version of a user installed click is not updated by custom or base pre-installed clicks with a more recent version To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-devices-system-image/+bug/1479001/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs