[cc'ing you just in case you aren't subscribed] On Wed, Nov 25, 2015 at 12:29:40PM -0500, Antoine Beaupré wrote: > this is my first DLA, so i want to make sure i am doing this > right... Already i am worried i have skipped a step because i have > already reserved DLA-348-1 in the security tracker for this... But i > feel this is not so much of a problem as I haven't sent the advisory > just yet. > > The DLA covers an old security issue that was never fixed in squeeze, > but also a new security issue that was just pushed to security-master > for wheezy and jessie today.
Hi, the new security issue is clearly CVE-2015-0859, but the squeeze version of smokeping isn't vulnerable AFAICS? It doesn't have the 'shift @ARGV' thing in the CGI script, that was introduced in 2.6.5-1 (so between squeeze and wheezy) and I can't see it using command line arguments for anything else either... -- Niko Tyni nt...@debian.org
