Hi Yves-Alexis, On Thu, May 13, 2021 at 07:05:37PM +0200, Yves-Alexis Perez wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On Tue, 2021-05-11 at 21:45 +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for thunar. > > > > CVE-2021-32563[0]: > > > An issue was discovered in Thunar before 4.16.7 and 4.17.x before > > > 4.17.2. When called with a regular file as a command-line argument, it > > > delegates to a different program (based on the file type) without user > > > confirmation. This could be used to achieve code execution. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Hi Salvatore, thanks for the heads up. > > We have Thunar 4.16.3 in testing and 4.16.4 in sid. It'd be best to update > everything to 4.16.8 but I'm unsure the release team will like that, so I'll > also look at isolating the fix.
Thank you! Btw, I sitll would try to check if release team would accept 4.16.8 itself. Note I'm as well not sure about if this will need a DSA or can be fixed via point release, but given your double hat on I will leave that decision to you :) Regards, Salvatore
