On Fri, Sep 05, 2003 at 11:07:12PM +0100, Dale Amon wrote: > On Fri, Sep 05, 2003 at 08:19:46PM +0200, Frank Lichtenheld wrote: > > The question that remains is: Does this require a security update for > > the woody version of the package? Or should I just try to get this > > fixed in the next release (of the package)? > > I'd say yes. It's one for which someone might be able to > craft an attack although there may be some uncertainty > in that; but I've seen security updates with no more > reason than that.
Only root has control over apt's packages lists and the dpkg status file, so I wouldn't be too concerned about this from a security standpoint. It's still sloppy, and I would think twice before stepping forward to take over maintenance of such a program, rather than simply dropping it from the distribution. -- - mdz
