On Mon, Dec 07, 2009 at 08:56:07AM +0100, Stefan Hornburg (Racke) wrote: > >CVE-2009-3736[0]: > >| ltdl.c in libltdl in GNU Libtool 1.5.x, and 2.2.6 before 2.2.6b, > >| attempts to open a .la file in the current working directory, which > >| allows local users to gain privileges via a Trojan horse file. > >Note that this problem also affects etch and lenny, so if your package > >is affected, please coordinate with the security team to release the > >DSA for the affected packages. > >If you fix the vulnerability please also make sure to include the > >CVE id in your changelog entry. > Is there a patch available for the vulnerability? The patch is to not use embedded copies of libltdl, we have a system libltdl that all packages should be using. It appears that courier-authlib is already doing this. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature