Re: tkman stable update for CVE-2008-5137
* Maximiliano Curia [Sun, 30 Nov 2008 12:08:13 -0200]:
> Hola Nico Golde!
Hola Maxi!
> El 30/11/2008 a las 10:44 escribiste:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for tkman some time ago.
> > CVE-2008-5137[0]:
> > | tkman in tkman 2.2 allows local users to overwrite arbitrary files via
> > | a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary
> > | file.
> > Unfortunately the vulnerability described above is not important enough
> > to get it fixed via regular security update in Debian stable. It does
> > not warrant a DSA.
> > However it would be nice if this could get fixed via a regular point update[1].
> > Please contact the release team for this.
> > This is an automatically generated mail, in case you are already working on an
> > upgrade this is of course pointless.
> > For further information:
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137
> > [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable
> I've just uploaded a patched version (2.2-4), I'll be happy if someone reviews
> the patch.
Oh, I see that upload was to unstable, which is great for Lenny, but I
think Nico meant an upload to stable-proposed-updates. Do that if you
wish.
Cheers,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Pet Shop Boys - Jealousy
Reply to: