On Sun, 2011-04-03 at 07:44 -0700, Daniel Burrows wrote: > The version of aptitude in stable contains a security bug that could > theoretically allow a symlink attack in /tmp. However, it can only be > exploited in a very narrow set of circumstances: the user must have no > home directory, and they must invoke the "hierarchy editor" (an old and > mostly undocumented corner of the curses interface). For this reason, > the security team recommended that I ask -release to put the patch into > a point update, rather than releasing it via the security route. > > I've attached the patch that I'll add to the debian/patches in the > package in stable. > > Please let me know what the next step I need to do is. Also, do you > think it makes sense to patch the package in oldstable?
Thanks. That does seem a rather narrow attack vector. :-) Nevertheless, assuming the patch has been tested in a squeeze environment and there aren't any other changes involved, please feel free to upload 0.6.3-3.2+squeeze1 to stable adding that patch. If the same patch also applies to oldstable and has been tested there, then uploading an updated package for lenny would also be okay. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1302125204.22008.896.ca...@hathi.jungle.funky-badger.org
