Hi Nicolas, * Nicolas Boullis <nboullis@debian.org> [2008-01-22 00:40]: > On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote: [...] > > Unfortunately the vulnerability described above is not important enough > > to get it fixed via regular security update in Debian stable. It does > > not warrant a DSA. > > > > However it would be nice if this could get fixed via a regular point update[1]. > > Please contact the release team for this. > > I don't think an update is needed. The issue only affects the cd-info > and iso-info programs, that were not part of any binary package package > before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is > affected (that is anyone who builds the programs from the source > package). Is it something we should support? Thanks for pointing this out. We did not check the package before the decision to not update libcdio via a stable update. Since the binaries are not affected and the attack vector for this specific vulnerability is quite small I think we could live with that in the sources. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpKDkVQE8_jm.pgp
Description: PGP signature