Hi. I'm asking for an unblock of barnowl in order to fix a security problem. Under certain error conditions an attacker or malicious IM server could potentially exploit the vulnerabilities and run arbitrary code. Note that this unblock would move testing from 1.5.1 to 1.6.2. I came very close to uploading 1.6.2 during debconf but wanted to do some additional testing, then the freeze was announced. However after thinking about this particular bug, I do think that squeeze would be far better with these changes than without. I can backport the change, but especially given that it is early in the freeze and that there are a lot of very useful bug fixes between 1.5.1 and 1.6.2, I believe squeeze would be a better release if you unblocked the new upstream. If you do unblock, I'd prefer that you up the urgency of the upload I made yesterday rather than waiting 10 days; I should have uploaded with higher urgency. Attached is the upstream changelog. 1.6.2 * Use a uniquified debug file location. -nelhage@mit.edu * Open the debug file using O_EXCL and an explicit mode. -nelhage@mit.edu * Don't send AIM passwords to the debug log. -geofft@mit.edu * Remove some dead AIM code that sends local files to the server. -geofft@mit.edu * Handle errors from ZPending and ZReceiveNotice (CVE-2010-2725). -nelhage@mit.edu * Include the public repository URL in the README -alexmv@mit.edu * Install the documentation in 'make install'. -nelhage@mit.edu * Add a configure flag to enable/disable building with krb4. -wthrowe@mit.edu * Fix an infinite loop on 'view -r args'. -nelhage@mit.edu * Free paths to Zephyr dot-files when non-existant -davidben@mit.edu * Jabber: Accept a -m argument to jwrite to set the message. -nelhage@mit.edu 1.6.1 * Jabber: Explain how to set your nick when joining a MUC. -andersk@mit.edu * Jabber: Make smartnarrow -i filter on subject. -andersk@mit.edu * Jabber: Fix completion of MUC names. -nelhage@mit.edu * Improve help for bindkey and unbindkey -leonidg@mit.edu * Fix a segfault in smartnarrow. -nelhage@mit.edu * Fix a race in handling of resize events. -andersk@mit.edu 1.6 * Add :vp and :viewperson aliases for :viewuser. -kevinr@free-dissociation.com * Fix some bugs related to resize. -davidben@mit.edu * Don't auto-wrap text in command lines. -nelhage@mit.edu * Wrap input at 70 columns by default. -andersk@mit.edu * Support filtering on whether a message has been deleted. -nelhage@mit.edu * Properly quote strings containing newlines or tabs. -nelhage@mit.edu * Check for an unset mark in owl_editwin_replace_region. -nelhage@mit.edu * Add the "narrow-related" variable. -geofft@mit.edu * Fix a display bug under perl 5.12. -nelhage@mit.edu * Only use typewindelta when opening multiline editwins. -nelhage@ksplice.com * Add some checks to ./configure. -nelhage@mit.edu * Fix a use-after-free in popexec.c -nelhage@mit.edu * Make pseudologins asynchronous -asedeno@mit.edu * Fix some bugs in editwin handling and clean up code. -nelhage@ksplice.com * Add new command unbindkey for removing keybindings -leonidg@mit.edu * zcrypt: Implement AES encryption support using GPG. -nelhage@mit.edu * Add 2usage messages to everything in scripts/ -nelhage@mit.edu * Split zcrypt into an external, standalong binary. -nelhage@mit.edu * Fix minor documentation typo -alexmv@mit.edu * Document the init/cleanup vs. new/delete naming conventions. -andersk@mit.edu * Clean up code naming conventions to help avoid memory leaks.. -andersk@mit.edu * Add edit:help command for zsh-style in-edit help -davidben@mit.edu * Use libpanel to simplify and improve display layer. -davidben@mit.edu * Jabber: Mention [-a <account>] in :help jwrite. -andersk@mit.edu * Fix zcrypt when compiling without krb4 -oremanj@MIT.EDU * Send multiple PRIVMSGs for IRC messages entered as multiple paragraphs -oremanj@mit.edu * Require automake â?¥ 1.7.0, and donâ??t warn about portability to non-GNU make. -andersk@mit.edu * Makefile.am: Use only direct children in SUBDIRS, to appease automake 1.7. -andersk@mit.edu * IRC: irc-disconnect on a pending reconnect should cancel it. -nelhage@mit.edu * Complete several commands that accept a filename. -nelhage@mit.edu * Complete the 'print' and 'bindkey' commands. -nelhage@mit.edu
Attachment:
pgpaLKZEK5g6l.pgp
Description: PGP signature