Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.
Moritz Muehlenhoff <jmm@inutil.org> writes:
> Russ Allbery wrote:
>> This probably needs an update on security.debian.org as well, and maybe
>> an advisory or advisory update (not sure). I mailed team@security a
>> while back about it with the same patch and got an acknowledgement, but
>> I think they then ran out of time to deal with it.
>>
>> Cc'ing team@security as a status ping on that.
> IIRC CVE-2005-3345 was fixed by an upload, which should have gone to the
> security queue, but ended up in the proposed updates for stable. It was
> later acked by stable release managers instead of sending out a DSA. Is
> this an rssh issue, which was there all the time, or an issue, which was
> introduced by the sarge1 fix?
CVE-2005-3345 is a different issue. The fix for CVE-2005-3345 in -sarge1
currently in stable introduced a new, even more serious security
vulnerability, which was fixed in unstable with 2.3.0-1.1. See
Bug#363978.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: