On 2015-11-26 07:57:09, Niko Tyni wrote:
> [cc'ing you just in case you aren't subscribed]
>
> On Wed, Nov 25, 2015 at 12:29:40PM -0500, Antoine Beaupré wrote:
>
>> this is my first DLA, so i want to make sure i am doing this
>> right... Already i am worried i have skipped a step because i have
>> already reserved DLA-348-1 in the security tracker for this... But i
>> feel this is not so much of a problem as I haven't sent the advisory
>> just yet.
>>
>> The DLA covers an old security issue that was never fixed in squeeze,
>> but also a new security issue that was just pushed to security-master
>> for wheezy and jessie today.
>
> Hi, the new security issue is clearly CVE-2015-0859, but the squeeze
> version of smokeping isn't vulnerable AFAICS?
>
> It doesn't have the 'shift @ARGV' thing in the CGI script, that was
> introduced in 2.6.5-1 (so between squeeze and wheezy) and I can't see
> it using command line arguments for anything else either...
Hmm... interesting, i haven't noticed that at all!
Somehow i still built the package with the (harmless) fix... I wonder
what to do now - i uploaded the package, but haven't received a
confirmation from the incoming daemons that it was processed, which is
strange because it's been more than 12 hours.
Maybe I can rebuild the package with just CVE-2013-4168?
A.
--
Il faut tout un village pour élever un enfant.
- Proverbe africain