Hi, On Sun, Mar 18, 2012 at 09:27:40PM +0000, Jonathan Wiltshire wrote: > Recently you fixed one or more security problems and as a result you closed > this bug. These problems were not serious enough for a Debian Security > Advisory, so they are now on my radar for fixing in the following suites > through point releases: […]
I don't think they warrant an update in a point release. Also the fixes would require binNMUs for both sobby and gobby given the nature of C++ templates. CVE-2011-4091 is information leakage about the presence of logged in users. The nature of the protocol is already that it's not high security (given it's use of anonymous DH TLS handshakes). CVE-2011-4093 might be an issue on 32bit architectures but I'm pretty sure that MAX_INT connections would be noticed at some point. If you convince me that the latter is worth fixing, we can of course take both patches, upload them to stable and arrange for proper binNMUs. Kind regards Philipp Kern
signature.asc
Description: Digital signature
