Hi Salvatore I started checking the CVEs for php-gettext and I'm not sure I follow the information for CVE-2016-6175. Maybe you have more data than I do.
The vulnerability is that a malicous user that have permission to craft .mo files in the target filesystem could execute any php code on that system. I find that a quite unlikely attack vector. Based on this I also think the bug should have a different priority than grave. Or have I missed anything crucial? I'm asking as I plan to mark this one as no-dsa for wheezy. Best regards // Ola PS. There is another bug on the same package and that one should probably have a grave bug filed, but that is another story. DS. -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
