Re: CAN-2003-0020?

To: debian-security@lists.debian.org
Cc: debian-apache@lists.debian.org
Subject: Re: CAN-2003-0020?
From: Matt Zimmerman <mdz@debian.org>
Date: Sun, 18 Apr 2004 11:58:21 -0700
Message-id: <[🔎] 20040418185821.GB12830@alcor.net>
Mail-followup-to: debian-security@lists.debian.org, debian-apache@lists.debian.org
In-reply-to: <[🔎] 200404182047.16630.jluehr@gmx.net>
References: <[🔎] 200404172216.11138.jluehr@gmx.net> <[🔎] 20040418165633.GW12830@alcor.net> <[🔎] 200404182047.16630.jluehr@gmx.net>

On Sun, Apr 18, 2004 at 08:47:16PM +0200, Jan L?hr wrote:

> Am Sonntag, 18. April 2004 18:56 schrieb Matt Zimmerman:
> > On Sat, Apr 17, 2004 at 10:16:11PM +0200, Jan L??hr wrote:
> > > what about
> > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020 ? Is
> > > debian finally going to fix it?
> >
> > Current consensus between the security team and the Apache maintainers is
> > that it is not necessary to fix this in woody.
> 
> Ehm... why ? ;) 

The same issue applies to any file which contains data supplied by an
untrusted source.  This is a fundamental Unix feature (or flaw).  Terminal
control sequences may be contained in the data.

> What about sarge or sid?

If this were important to you, I expect you would have read the changelog
already, and discovered that it has been fixed in sarge and sid for over a
month.

-- 
 - mdz

Reply to:

Follow-Ups:
- Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
  - From: Jan Minar <jjminar@fastmail.fm>

References:
- CAN-2003-0020?
  - From: Jan Lühr <jluehr@gmx.net>
- Re: CAN-2003-0020?
  - From: Matt Zimmerman <mdz@debian.org>
- Re: CAN-2003-0020?
  - From: Jan Lühr <jluehr@gmx.net>

Prev by Date: Re: CAN-2003-0020?
Next by Date: Re: [SECURITY] [DSA 483-1] New mysql packages fix insecure temporary file creation
Previous by thread: Re: CAN-2003-0020?
Next by thread: Eterm & others allow arbitrary commands execution via escape sequencies [Was: CAN-2003-0020?]
Index(es):
- Date
- Thread