On Thu, Nov 26, 2015 at 10:06:12AM -0500, Antoine Beaupré wrote: > On 2015-11-26 09:44:10, Antoine Beaupré wrote: > > Maybe I can rebuild the package with just CVE-2013-4168? > > On the other hand... does the fix break anything? It seems just like a > nice precaution...
I expect it doesn't break anything (but I haven't really seen the patch...) So if you're making an update anyway I suppose it's OK to include that. I haven't found any details about the vulnerability so I'm not clear on the attack vector from running the CGI on an arbitrary config file to running arbitrary commands on the server. My guess is it additionally needs a file upload facility or some other vulnerability, but maybe I'm missing something. -- Niko Tyni nt...@debian.org
