Ok, I had a look at the issue, and a far as I can see debian/patches/any/cvs-ignore-origin-privileged.diff (which is applied) does fix the problems. I can not claim to have understood the topic in its entirety, though and I am by no means an expert in *libc. As such I do not understand the patches/any/cvs-dont-expand-dst-twice.diff and debian/patches/any/cvs-audit-suid.diff, though they seem to address the problems described in CVE-2010-3856. So, somebody else might still have a look at that. cu AW -- [...] If you don't want to be restricted, don't agree to it. If you are coerced, comply as much as you must to protect yourself, just don't support it. Noone can free you but yourself. (crag, on Debian Planet) Arne Wichmann (aw@linux.de)
Attachment:
signature.asc
Description: Digital signature