Marc Merlin wrote: > On Thu, Aug 26, 1999 at 09:47:22AM -0700, Aleph One wrote: > > ---------------------------------------------------------------------------- > > Debian Security Advisory [EMAIL PROTECTED] > > http://www.debian.org/security/ Martin Schulze > > August 26, 1999 > > ---------------------------------------------------------------------------- > > > > Red Hat has recently released a Security Advisory (RHSA-1999:030-01) > > covering a buffer overflow in the vixie cron package. Debian has > > discovered this bug two years ago and fixed it. Therefore versions in > > both, the stable and the unstable, distributions of Debian are not > > vulnerable to this problem.. > > Does anyone know if Debian never sent the fix to Paul Vixie, or if it was > sent and Paul "missed it"? > > Even in the second case, unless Paul repeatedly refused the patch, it'd have > been nice for the Debian maintainer to make sure that the patch was > incorporated in the main source code, not just in Debian... The upstream source of Vixie Cron hasn't been maintained for years. I remember working on the same code before I joined Debian, trying to send him patches. The patch wasn't hidden, Caldera knew it and Caldera immediately reacted to the advisory from Red Hat, stating that it's an old - and fixed - bug. Regards, Joey -- The good thing about standards is that there are so many to choose from. -- Andrew S. Tanenbaum
