Re: tkman stable update for CVE-2008-5137

To: debian-release@lists.debian.org
Subject: Re: tkman stable update for CVE-2008-5137
From: Maximiliano Curia <maxy@gnuservers.com.ar>
Date: Sun, 30 Nov 2008 12:08:13 -0200
Message-id: <20081130140812.GA17024@maxy.com.ar>
In-reply-to: <20081130094423.GA26498@ngolde.de>
References: <20081130094423.GA26498@ngolde.de>

Hola Nico Golde!

El 30/11/2008 a las 10:44 escribiste:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for tkman some time ago.

> CVE-2008-5137[0]:
> | tkman in tkman 2.2 allows local users to overwrite arbitrary files via
> | a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary
> | file.
 
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.

> However it would be nice if this could get fixed via a regular point update[1].
> Please contact the release team for this.
 
> This is an automatically generated mail, in case you are already working on an
> upgrade this is of course pointless.
 
> For further information:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137
> [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

I've just uploaded a patched version (2.2-4), I'll be happy if someone reviews
the patch.

-- 
A computer scientist is someone who, when told to "Go to Hell,"
sees the "go to," rather than the destination, as harmful.
Saludos /\/\ /\ >< `/

Reply to:

Prev by Date: Re: Please unblock libtemplate-plugin-dbi-perl/2.64-1
Next by Date: Re: texlive-bin stable update for CVE-2007-5935
Previous by thread: Re: Freeze exception: mcelog 0.8~pre-8
Next by thread: Re: texlive-bin stable update for CVE-2007-5935
Index(es):
- Date
- Thread