* Steve Langasek [2005-05-05 02:36:01-0700] > On Thu, May 05, 2005 at 12:12:11PM +0300, Recai Oktas wrote: > > * Steve Langasek [2005-05-05 01:23:19-0700] > > > On Thu, May 05, 2005 at 03:32:12AM -0400, Recai Oktaş wrote: > > [...] > > > > elog (2.5.7+r1558-2) testing-proposed-updates; urgency=high > > > > . > > > > * Fix a possible buffer overflow. > > > > * Urgency set to high because of the security issue. > > > > * Minor doc fix in welcome message. > > > > * Improve package description. > > > > > > This changelog mentions neither a Debian bug number, nor a CVE id for this > > > problem; is either available? > > > No, neither is available. Should I first submit a bug for this issue? > > No, but please contact the security team and the testing security team to > inform them of this upload. Hi, FYI, the new elog package was accepted for testing. As mentioned in my previous posting[1], this version includes a fix[2] for a possible buffer overflow. A long file name supplied in elogd configuration for the 'logfile' setting may cause such a buffer overflow. This problem has no CVE id. Regards, [1] http://lists.debian.org/debian-security/2005/05/msg00008.html [2] http://midas.psi.ch/cgi-bin/cvsweb/elog/src/elogd.c.diff?r1=1.637;r2=1.638;f=h -- roktas
Attachment:
signature.asc
Description: Digital signature