This bug was fixed in the package click -
0.4.40+15.10.20151006-0ubuntu1.1
---------------
click (0.4.40+15.10.20151006-0ubuntu1.1) wily; urgency=medium
* SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
can be used to install alternate security policy than what is defined
- click/install.py: Forbid installing packages with data tarball members
whose names do not start with "./". Patch thanks to Colin Watson.
- CVE-2015-XXXX
- LP: #1506467
-- Jamie Strandboge <ja...@ubuntu.com> Thu, 15 Oct 2015 11:13:36 -0500
** Changed in: click (Ubuntu)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1479001
Title:
Older version of a user installed click is not updated by custom or
base pre-installed clicks with a more recent version
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1479001/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
