[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.

Moritz Muehlenhoff <jmm@inutil.org> writes:
> Russ Allbery wrote:

>> This probably needs an update on security.debian.org as well, and maybe
>> an advisory or advisory update (not sure).  I mailed team@security a
>> while back about it with the same patch and got an acknowledgement, but
>> I think they then ran out of time to deal with it.
>> 
>> Cc'ing team@security as a status ping on that.

> IIRC CVE-2005-3345 was fixed by an upload, which should have gone to the
> security queue, but ended up in the proposed updates for stable. It was
> later acked by stable release managers instead of sending out a DSA. Is
> this an rssh issue, which was there all the time, or an issue, which was
> introduced by the sarge1 fix?

CVE-2005-3345 is a different issue.  The fix for CVE-2005-3345 in -sarge1
currently in stable introduced a new, even more serious security
vulnerability, which was fixed in unstable with 2.3.0-1.1.  See
Bug#363978.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: