On Sun, 13 Jan 2008 19:03:23 +0100, Nico Golde writes: >the following CVE (Common Vulnerabilities & Exposures) id was >published for duplicity some time ago. > >CVE-2007-5201[0]: >| The FTP backend for Duplicity sends the password as a command line >| argument when calling ncftp, which might allow local users to read the >| password by listing the process and its arguments. sorry for the late response; been a tad busy. the cve entry actually doesn't apply to duplicity versions before 0.4.3, because those implemented ftp directly, without using ncftp or the like. the version in etch is 0.4.2-10.1 and hence doesn't contain the problematic code. >You can see the status of this vulnerability on: >http://security-tracker.debian.net/tracker/CVE-2007-5201 can you update that info to show that we're in the green? regards az -- + Alexander Zangerl + DSA 42BD645D + (RSA 5B586291) If USENET is anarchy, IRC is a paranoid schizophrenic after 6 days on speed. -- Chris "Saundo" Saunderson
Attachment:
signature.asc
Description: Digital Signature