Re: rar oldstable update for CVE-2007-0855

To: Martin Meredith <mez@ubuntu.com>
Cc: debian-release@lists.debian.org
Subject: Re: rar oldstable update for CVE-2007-0855
From: Luk Claes <luk@debian.org>
Date: Fri, 04 Jan 2008 19:01:19 +0100
Message-id: <[🔎] 477E746F.7080102@debian.org>
In-reply-to: <1199134437.8707.5.camel@apathy>
References: <20071231161043.GA3997@ngolde.de> <1199134437.8707.5.camel@apathy>

Martin Meredith wrote:
> On Mon, 2007-12-31 at 17:10 +0100, Nico Golde wrote:
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for rar some time ago.
>>
>> CVE-2007-0855[0]:
>> | Stack-based buffer overflow in RARLabs Unrar, as packaged in WinRAR
>> | and possibly other products, allows user-assisted remote attackers to
>> | execute arbitrary code via a crafted, password-protected archive.
>>
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian oldstable. It does
>> not warrant a DSA.
>>
>> However it would be nice if this could get fixed via a regular point update.
>> Please contact the release time for this.
> 
> Hi there, I'm unsure as to what you want for this.
> 
> From what I can tell, you're requesting an update of rar for oldstable? 
> 
> May I remind you that the only way to fix this in _rar_ for oldstable is
> to update it to at least 3.7 beta 1 of rar. due to it being a binary
> package.

Hmm, it sounds better to remove the package from oldstable and have a
note in the Release Notes about it...

Cheers

Luk

Reply to:

Prev by Date: Re: PostgreSQL maintenance release for Etch
Next by Date: Re: proftpd oldstable/stable update for CVE-2007-2165
Previous by thread: Re: PostgreSQL maintenance release for Etch
Next by thread: Planned upload of APT 0.7.10 - 01/07/2008 - Monday
Index(es):
- Date
- Thread