Raphael Geissert uploaded new packages for lintian which fixed the following security problems: CVE-2009-4013: missing control files sanitation Control field names and values were not sanitised before using them in certain operations that could lead to directory traversals. Patch systems' control files were not sanitised before using them in certain operations that could lead to directory traversals. CVE-2009-4014: format string vulnerabilities Multiple check scripts and the Lintian::Schedule module were using user-provided input as part of the sprintf/printf format string. CVE-2009-4015: arbitrary command execution File names were not properly escaped when passing them as arguments to certain commands, allowing the execution of other commands as pipes or as a set of shell commands. For the lenny-backports distribution the problems have been fixed in version 2.3.2~bpo50+1. Upgrade instructions -------------------- If you don't use pinning (see [1]) you have to update the package manually via "apt-get -t lenny-backports install lintian". [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically. Package: * Pin: release a=lenny-backports Pin-Priority: 200
Attachment:
signature.asc
Description: This is a digitally signed message part.