Installed slrn 0.9.6.2-6 (source i386)

To: debian-devel-changes@lists.debian.org
Subject: Installed slrn 0.9.6.2-6 (source i386)
From: Joey Hess <joeyh@debian.org>
Date: 10 Feb 2000 10:04:12 -0000
Message-id: <[🔎] 20000210100412.32161.qmail@master.debian.org>

Installed:
slrn_0.9.6.2-6.diff.gz
  to dists/potato/main/source/news/slrn_0.9.6.2-6.diff.gz
  replacing slrn_0.9.6.2-5.diff.gz
slrn_0.9.6.2-6.diff.gz
  to dists/woody/main/source/news/slrn_0.9.6.2-6.diff.gz
  replacing slrn_0.9.6.2-5.diff.gz
slrnpull_0.9.6.2-6_i386.deb
  to dists/potato/main/binary-i386/news/slrnpull_0.9.6.2-6.deb
  replacing slrnpull_0.9.6.2-5.deb
slrnpull_0.9.6.2-6_i386.deb
  to dists/woody/main/binary-i386/news/slrnpull_0.9.6.2-6.deb
  replacing slrnpull_0.9.6.2-5.deb
slrn_0.9.6.2-6.dsc
  to dists/potato/main/source/news/slrn_0.9.6.2-6.dsc
  replacing slrn_0.9.6.2-5.dsc
slrn_0.9.6.2-6.dsc
  to dists/woody/main/source/news/slrn_0.9.6.2-6.dsc
  replacing slrn_0.9.6.2-5.dsc
slrn_0.9.6.2-6_i386.deb
  to dists/potato/main/binary-i386/news/slrn_0.9.6.2-6.deb
  replacing slrn_0.9.6.2-5.deb
slrn_0.9.6.2-6_i386.deb
  to dists/woody/main/binary-i386/news/slrn_0.9.6.2-6.deb
  replacing slrn_0.9.6.2-5.deb


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Wed,  9 Feb 2000 15:51:33 -0800
Source: slrn
Binary: slrn slrnpull
Architecture: source i386
Version: 0.9.6.2-6
Distribution: frozen unstable
Urgency: low
Maintainer: Joey Hess <joeyh@debian.org>
Description: 
 slrn       - threaded news reader (fast for slow links)
 slrnpull   - pulls a small newsfeed from an NNTP server
Closes: 57616
Changes: 
 slrn (0.9.6.2-6) frozen unstable; urgency=low
 .
   * Fixed 2 sprintf calls in launch_url that get untrusted text passed
     into them, and so could be used for exploits in theory.
   * Also fixed a quoting bug that let attackers run arbitrary commands by
     embedding them in URLs. (This is not entirely fixed, but you are safe if
     you use the suggested quoting in the slrn man page. It should really use
     exec..)
   * Luckily, there are 2 barriers for either of these security holes to be
     expolited: first, the user is presented with the url before the browser
     is launched (though an attacker could simply pad the front of the url with
     something innocuous and hope the victim didn't scroll all the way to the
     end of it). Second, you have to have non_Xbrowser or Xbrowser set in your
     .slrnrc, and they are not set by default. Still, this needs to go into
     frozen. Closes: #57616
   * The bug reporter is right, slrn needs a through audit. :-(
Files: 
 57fc404aced0d17c7739b6eef8930d65 558 news optional slrn_0.9.6.2-6.dsc
 69a06acd7bbc7ef6e01e471716c2789e 14465 news optional slrn_0.9.6.2-6.diff.gz
 4bfa7c8efcf69536ed6722535560a5d4 187258 news optional slrn_0.9.6.2-6_i386.deb
 59bbbed79295b481d9ec8750fc5d42b7 66642 news optional slrnpull_0.9.6.2-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE4og0t2tp5zXiKP0wRAmBqAKC9Ji5auZYNhifAIjZxlHadkk3cswCfYhaO
rUGym5yMEgUEQn89JRiurnM=
=KhwN
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Installed setserial 2.17-4 (source i386)
Next by Date: Installed smsclient 2.0.8r-6 (source i386)
Previous by thread: Installed setserial 2.17-4 (source i386)
Next by thread: Installed smsclient 2.0.8r-6 (source i386)
Index(es):
- Date
- Thread