On Thu, May 19, 2005 at 05:26:50PM +0200, Alexis Sukrieh wrote: > * Joey Hess (joeyh@debian.org) disait : > > Note this this hole has been assigned two CVE IDs: > > CAN-2005-1564 post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows > > CAN-2005-1563 Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different > Thanks to upstream collaboration, we have now a working patch for > closing this security issue in the 2.16 branch (the first patch was not > ok for 2.16[1]). > I backported the full patch from 2.16.10 to our sarge package (2.16.7). > It works pretty well on my sarge box. > The package source is available on my repository: > deb-src http://www.sukria.net/debian ./ > I don't know what is the best thing to do here, as this is an update of > the 2.16 package (which is in testing) and our sid package is 2.18... > Maybe a t-p-u? Yes, either t-p-u, or testing-security with the approval of the security team. -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature