tags 484728 + patch
thanks

Hi Alvaro,
* Alvaro Herrera <[EMAIL PROTECTED]> [2008-06-06 07:29]:
> Package: roundup
> Version: 1.4.4
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 
> I see that there isn't a fix for Debian for this bug:
> 
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475
> http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=31577&atid=402788
> 
> Apparently, the Debian version is thus vulnerable.

Confirmed. Toni, the previous NMU was not vulnerable to 
this, please try to keep track of upstream vulnerabilities 
so such things don't get overwritten introducing new 
vulnerabilities. We already had this marked as not-affected 
because the xml-rpc code was introduced in 1.4.0 and only 
noticed this because of this mail now.

Here is a patch for this:
http://sourceforge.net/tracker/download.php?group_id=31577&atid=402788&file_id=269102&aid=1907211

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpim1tqJnqTa.pgp
Description: PGP signature

Reply via email to