[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tkman stable update for CVE-2008-5137

* Maximiliano Curia [Sun, 30 Nov 2008 12:08:13 -0200]:

> Hola Nico Golde!

Hola Maxi!

> El 30/11/2008 a las 10:44 escribiste:
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for tkman some time ago.

> > CVE-2008-5137[0]:
> > | tkman in tkman 2.2 allows local users to overwrite arbitrary files via
> > | a symlink attack on a (1) /tmp/tkman##### or (2) /tmp/ll temporary
> > | file.

> > Unfortunately the vulnerability described above is not important enough
> > to get it fixed via regular security update in Debian stable. It does
> > not warrant a DSA.

> > However it would be nice if this could get fixed via a regular point update[1].
> > Please contact the release team for this.

> > This is an automatically generated mail, in case you are already working on an
> > upgrade this is of course pointless.

> > For further information:
> > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5137
> > [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

> I've just uploaded a patched version (2.2-4), I'll be happy if someone reviews
> the patch.

Oh, I see that upload was to unstable, which is great for Lenny, but I
think Nico meant an upload to stable-proposed-updates. Do that if you
wish.

Cheers,

-- 
Adeodato Simó                                     dato at net.com.org.es
Debian Developer                                  adeodato at debian.org
 
                                  Listening to: Pet Shop Boys - Jealousy
Reply to: