Hi 1.19-1 source and binary packages work on stable, and the differences to 1.18.4-2 are all local bugfixes, so I figure it doesn't make any sense to separate bugfixes from bugfixes for a special security fix for stable. Well, we could split out storeBackupSync, though that new script is explicitely marked as experimental.
I don't know the details of the security issues, but might have some time over the weekend to look at it if needed. Moritz Muehlenhoff schrieb: > Package: storebackup > Version: 1.18.4-2 > Severity: grave > Tags: security > Justification: user security hole > > Although it's not really mentioned in the changelog storebackup 1.19 fixed > several security problems, which are still present in Sarge, they've been > assigned CAN-2005-3150, CAN-2005-3149 and CAN-2005-3148: > > Quoting upstream's changelog: > - uid and gid were not set correctly for symbolic links in the > backups (in the files, not the description of the files) > - check for symbolic links before opening temporary files > - set permissions of backup root directory to 0755 > (independent of umask) > - uid and gid were not set correctly for symbolic links when > restoring, instead they were changed in the file where the > symlink pointed to ciao, 2ri --
signature.asc
Description: Digital signature
