On Mon, 2007-12-31 at 17:10 +0100, Nico Golde wrote: > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for rar some time ago. > > CVE-2007-0855[0]: > | Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR > | and possibly other products, allows user-assisted remote attackers to > | execute arbitrary code via a crafted, password-protected archive. > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian oldstable. It does > not warrant a DSA. > > However it would be nice if this could get fixed via a regular point update. > Please contact the release time for this. Hi there, I'm unsure as to what you want for this. From what I can tell, you're requesting an update of rar for oldstable? May I remind you that the only way to fix this in _rar_ for oldstable is to update it to at least 3.7 beta 1 of rar. due to it being a binary package. I can get this out to you tomorrow if you want (or whenever I get a response to this) - it doesn't take too long to do an update for rar. Also, as this is an automated email that I'm responding to - you might want to change the wording of "Please contact the release time for this." ... which makes no sense. Kind Regards, Martin Meredith
Attachment:
signature.asc
Description: This is a digitally signed message part