Re: About the security issues affecting man-db in Squeeze

To: Raphael Hertzog <hertzog@debian.org>, debian-lts@lists.debian.org
Subject: Re: About the security issues affecting man-db in Squeeze
From: Colin Watson <cjwatson@debian.org>
Date: Wed, 16 Dec 2015 22:05:00 +0000
Message-id: <[🔎] 20151216220459.GR2181@riva.ucam.org>
In-reply-to: <[🔎] 20151216214330.GA1884@home.ouaza.com>
References: <[🔎] 20151216214330.GA1884@home.ouaza.com>

On Wed, Dec 16, 2015 at 10:43:30PM +0100, Raphael Hertzog wrote:
> the Debian LTS team recently reviewed the security issue(s) affecting your
> package in Squeeze:
> https://security-tracker.debian.org/tracker/CVE-2015-1336
> 
> We decided that we would not prepare a squeeze security update because
> I don't see how this could be exploited by anyone... an unprivileged user
> should first find a way to run as user man.

I haven't worked out a proper fix for this at all upstream yet, though
with any luck I'll find some time over the Christmas holidays.  As you
say it doesn't appear urgent.  I'm not at all promising that a fix will
be sanely backportable, though; it is likely to take considerable
refactoring work.

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- About the security issues affecting man-db in Squeeze
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: squeeze update of dwarfutils?
Next by Date: Re: squeeze update of dwarfutils?
Previous by thread: About the security issues affecting man-db in Squeeze
Next by thread: squeeze update of samba?
Index(es):
- Date
- Thread