[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: duplicity stable update for CVE-2007-5201

On Sun, 13 Jan 2008 19:03:23 +0100, Nico Golde writes:
>the following CVE (Common Vulnerabilities & Exposures) id was
>published for duplicity some time ago.
>| The FTP backend for Duplicity sends the password as a command line
>| argument when calling ncftp, which might allow local users to read the
>| password by listing the process and its arguments.

sorry for the late response; been a tad busy.

the cve entry actually doesn't apply to duplicity versions before 0.4.3,
because those implemented ftp directly, without using ncftp or the like.

the version in etch is 0.4.2-10.1 and hence doesn't contain the 
problematic code.

>You can see the status of this vulnerability on:

can you update that info to show that we're in the green?


+ Alexander Zangerl + DSA 42BD645D + (RSA 5B586291)
If USENET is anarchy, IRC is a paranoid schizophrenic after 6 days on speed.
-- Chris "Saundo" Saunderson

Attachment: signature.asc
Description: Digital Signature

Reply to: