On 13054 March 1977, Yves-Alexis Perez wrote: >> All our commits are open and get to the -dak list too. >> The basic summary is "really old code that needs to be replaced, >> really". In this case - a possible attack using the help of shell >> metacharacters by a specially prepared filename due to not checking if >> such characters are in the filename AND using perls open function in the >> way it lets shell help it. >> My quick fix only ensured we don't have meta characters, Ansgar invested >> some more time and rewrote the code in question much more. And fixed a >> number of other issues too. For details there: read the commits. :)
> Is dak is present in a “released” state somewhere? Do other people use > those releases? Meaning, should we ask for a CVE for this? No, no and no. We have git. We have people use that, thats for sure. Checked out at various dates. I don't think thats something a CVE should be issued for. Though I won't block it if someone does, but the only thing you can do is "anything before commit XY, update with the latest". I really hope (and we silently somehow assume) that those who use dak are following at least debian-...@lists.debian.org. -- bye, Joerg Maybe, just once, someone will call me 'Sir' without adding, 'You're making a scene.' -- To UNSUBSCRIBE, email to debian-project-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mwxp7xlm....@gkar.ganneff.de
