Re: [SECURITY] [DSA 3258-1] quassel security update
On Tue, May 12, 2015 at 09:40:49PM +0200, Alessandro Ghedini wrote:
> It was discovered that the fix for CVE-2013-4422 in quassel, a
> distributed IRC client, was incomplete. This could allow remote
> attackers to inject SQL queries after a database reconnection (e.g.
> when the backend PostgreSQL server is restarted).
>
> For the stable distribution (jessie), this problem has been fixed in
> version 1:0.10.0-2.3+deb8u1.
>
> For the testing distribution (stretch), this problem has been fixed in
> version 1:0.10.0-2.4.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 1:0.10.0-2.4.
As far as I can tell from
https://security-tracker.debian.org/tracker/CVE-2013-4422
wheezy wasn't affected by the original CVE since the version of QT
there is < 4.8.5. Is that correct? If so, what's the right way to mark this
fact in the security-tracker data?
Cheers,
Dominic.
Reply to: