[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: stalin: CVE-2015-8697: Insecure use of temporary files

Hi Rob,

On Wed, Jan 20, 2016 at 05:41:56AM -0600, Rob Browning wrote:
> Rob Browning <rlb@defaultvalue.org> writes:
> > I believe the package is scheduled to be removed next week, and I'm
> > still waiting on a discussion with upstream about a (non-trivial) patch
> > I wrote to attempt to address the problem.
> >
> > So I wanted to ask for an opinion about the claim here that it might be
> > reasonable to lower the severity:
> >
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=808730#20
> >
> > Thanks
> I just wanted to ping you, since today's the removal deadline.

Yes I think we can downgrade the severity for it to important, since
the attack vector is mitigated by the symlink restrictions enabled.


Attachment: signature.asc
Description: PGP signature

Reply to: