[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libcdio stable update for CVE-2007-6613

Hi Nicolas,
* Nicolas Boullis <nboullis@debian.org> [2008-01-22 00:40]:
> On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote:
> > Unfortunately the vulnerability described above is not important enough
> > to get it fixed via regular security update in Debian stable. It does
> > not warrant a DSA.
> > 
> > However it would be nice if this could get fixed via a regular point update[1].
> > Please contact the release team for this.
> I don't think an update is needed. The issue only affects the cd-info 
> and iso-info programs, that were not part of any binary package package 
> before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is 
> affected (that is anyone who builds the programs from the source 
> package). Is it something we should support?

Thanks for pointing this out. We did not check the package 
before the decision to not update libcdio via a stable 
update. Since the binaries are not affected and the attack 
vector for this specific vulnerability is quite small I 
think we could live with that in the sources.

Kind regards
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgpa9oSHQ01Yy.pgp
Description: PGP signature

Reply to: