Re: [SRM] Fixing CVE-2007-2452 in findutils/stable

To: debian-release@lists.debian.org, team@security.debian.org
Subject: Re: [SRM] Fixing CVE-2007-2452 in findutils/stable
From: Luk Claes <luk@debian.org>
Date: Sun, 29 Jul 2007 13:27:12 +0200
Message-id: <[🔎] 46AC7990.3000209@debian.org>
In-reply-to: <[🔎] 20070729101349.GB3707@downhill.g.la>
References: <[🔎] 20070729101349.GB3707@downhill.g.la>

Andreas Metzler wrote:
> Hej,

Hi Andreas

> I would like to make a upload to stable to fix CVE-2007-2452
> aka http://bugs.debian.org/426862 which is a heap-buffer overflow in
> locate.
> 
> According to Moritz Muehlenhoff there will not be a DSA for this,
> since the attack vector is relatively obscure and it additionally
> requires the local admin to actively change the configuration to
> force updatedb to use old-style db.
> 
> The fix has been in testing/sid since the start of June (4.2.31-1).
> 
> Suggested patch attached.

OK, feel free to upload, it will probably be included in r2.

Cheers

Luk

Reply to:

References:
- [SRM] Fixing CVE-2007-2452 in findutils/stable
  - From: Andreas Metzler <ametzler@downhill.at.eu.org>

Prev by Date: [SRM] Fixing CVE-2007-2452 in findutils/stable
Next by Date: Bug#435122: package renaming makes it hard to depend on a specific libdb-dev version
Previous by thread: [SRM] Fixing CVE-2007-2452 in findutils/stable
Next by thread: Bug#435122: package renaming makes it hard to depend on a specific libdb-dev version
Index(es):
- Date
- Thread