Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.

To: Russ Allbery <rra@debian.org>
Cc: debian-release@lists.debian.org, team@security.debian.org
Subject: Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 12 Jul 2006 18:23:56 +0200
Message-id: <[🔎] 20060712162355.GA5435@galadriel.inutil.org>
In-reply-to: <87bqsiy4b9.fsf@windlord.stanford.edu>
References: <20060624122526.GO2376@erconde.hispalinux.es> <87bqsiy4b9.fsf@windlord.stanford.edu>

Russ Allbery wrote:
> > Debian 3.1r2 shipped with a broken rssh package due to a bug introduced
> > with a security fix.
> 
> > I have prepared a new package () with the problem fixed. The patch is
> > attached.
> 
> > The package can be found from
> > http://debian.pumuki.org/rssh/rssh_2.2.3-1.sarge.2_i386.changes
> 
> This probably needs an update on security.debian.org as well, and maybe an
> advisory or advisory update (not sure).  I mailed team@security a while
> back about it with the same patch and got an acknowledgement, but I think
> they then ran out of time to deal with it.
> 
> Cc'ing team@security as a status ping on that.

IIRC CVE-2005-3345 was fixed by an upload, which should have gone to the security
queue, but ended up in the proposed updates for stable. It was later acked by
stable release managers instead of sending out a DSA. Is this an rssh issue,
which was there all the time, or an issue, which was introduced by the sarge1
fix?

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.
Next by Date: Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.
Previous by thread: Re: getting erlang into testing
Next by thread: Re: rssh_2.2.3-1.sarge.2 package with command line parsing fixed.
Index(es):
- Date
- Thread