On 08/30/2012 02:13 PM, Stefano Lattarini wrote: > Now that we use AM_TESTS_ENVIRONMENT, we should require at least > Automake >= 1.11.2; but since all the Automake version until 1.11.5 > are vulnerable to CVE-2012-3386: > > <https://lists.gnu.org/archive/html/automake/2012-07/msg00023.html> > > it's even better to require 1.11.6.
I don't like this idea: I'm personally using OpenSuSE 12.1 (which is still the current version) which comes with 1.11.1. To satisfy sc_vulnerable_makefile_CVE-2012-3386, I've patched my /usr/share/automake-1.11/am/distdir.am. So the question I'm putting forward is: shouldn't COREUTILS be at least compileable on the latest version of the major distributions? I think a check like sc_vulnerable_makefile_CVE-2012-3386 is enough. BTW: If you insist on this patch, then you also have to adapt README-prereq. Have a nice day, Berny
