[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rar oldstable update for CVE-2007-0855

Martin Meredith wrote:
> On Mon, 2007-12-31 at 17:10 +0100, Nico Golde wrote:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for rar some time ago.
>> CVE-2007-0855[0]:
>> | Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR
>> | and possibly other products, allows user-assisted remote attackers to
>> | execute arbitrary code via a crafted, password-protected archive.
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian oldstable. It does
>> not warrant a DSA.
>> However it would be nice if this could get fixed via a regular point update.
>> Please contact the release time for this.
> Hi there, I'm unsure as to what you want for this.
> From what I can tell, you're requesting an update of rar for oldstable? 
> May I remind you that the only way to fix this in _rar_ for oldstable is
> to update it to at least 3.7 beta 1 of rar. due to it being a binary
> package.

Hmm, it sounds better to remove the package from oldstable and have a
note in the Release Notes about it...



Reply to: