Andrew Reid <[EMAIL PROTECTED]> writes:

>   Will there be an "etch" security patch for this for amd64?  The daemon
> runs as root, so there's a potential exploit opportunity, and even if
> there weren't, it's a possible DOS attack.

It's a DoS attack really more than an exploit (sign extension bugs on
internal calls that don't use user-supplied data, which I believe is a
correct characterization of this problem, are unlikely to be exploitable),
and I don't think the Debian security folks will consider it worth an
advisory.  I will, however, check with the stable release managers about
uploading a fixed package for the next stable point release.

Ken, I assume from the previous bug discussion that this was already fixed
in 1.6?  It looks like that file now includes k5-int.h and k5-int.h now
includes time.h.

-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to