Re: [SECURITY] [DSA 3258-1] quassel security update

To: debian-security@lists.debian.org
Cc: thomas.mueller@tmit.eu
Subject: Re: [SECURITY] [DSA 3258-1] quassel security update
From: Dominic Hargreaves <dom@earth.li>
Date: Wed, 13 May 2015 10:26:06 +0100
Message-id: <[🔎] 20150513092606.GF5148@urchin.earth.li>
In-reply-to: <20150512194057.47E121AB@bendel.debian.org>
References: <20150512194057.47E121AB@bendel.debian.org>

On Tue, May 12, 2015 at 09:40:49PM +0200, Alessandro Ghedini wrote:
> It was discovered that the fix for CVE-2013-4422 in quassel, a
> distributed IRC client, was incomplete. This could allow remote
> attackers to inject SQL queries after a database reconnection (e.g.
> when the backend PostgreSQL server is restarted).
> 
> For the stable distribution (jessie), this problem has been fixed in
> version 1:0.10.0-2.3+deb8u1.
> 
> For the testing distribution (stretch), this problem has been fixed in
> version 1:0.10.0-2.4.
> 
> For the unstable distribution (sid), this problem has been fixed in
> version 1:0.10.0-2.4.

As far as I can tell from

https://security-tracker.debian.org/tracker/CVE-2013-4422

wheezy wasn't affected by the original CVE since the version of QT
there is < 4.8.5. Is that correct? If so, what's the right way to mark this
fact in the security-tracker data?

Cheers,
Dominic.

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3258-1] quassel security update
  - From: Paul Wise <pabs@debian.org>

Prev by Date: OT: Mutt, HTML (was: discussion about security issues...)
Next by Date: Re: [SECURITY] [DSA 3258-1] quassel security update
Previous by thread: Re: bitches kann kiss my ass
Next by thread: Re: [SECURITY] [DSA 3258-1] quassel security update
Index(es):
- Date
- Thread