[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.

Russ Allbery wrote:
> >> This probably needs an update on security.debian.org as well, and maybe
> >> an advisory or advisory update (not sure).  I mailed team@security a
> >> while back about it with the same patch and got an acknowledgement, but
> >> I think they then ran out of time to deal with it.
> >> 
> >> Cc'ing team@security as a status ping on that.
> 
> > IIRC CVE-2005-3345 was fixed by an upload, which should have gone to the
> > security queue, but ended up in the proposed updates for stable. It was
> > later acked by stable release managers instead of sending out a DSA. Is
> > this an rssh issue, which was there all the time, or an issue, which was
> > introduced by the sarge1 fix?
> 
> CVE-2005-3345 is a different issue.  The fix for CVE-2005-3345 in -sarge1
> currently in stable introduced a new, even more serious security
> vulnerability, which was fixed in unstable with 2.3.0-1.1.  See
> Bug#363978.

Ok, I'll push this into the security buildd network tonight and release a DSA.

Cheers,
        Moritz
Reply to: