On Sat, Aug 18, 2012 at 11:38:51AM +0200, Tanguy Ortolo wrote:
> Tanguy Ortolo, 2012-08-17 11:04+0200:
>> I have just had a look to the code: squeeze is affected. I shall
>> prepare an update by hand.
>
> Well, after looking more closely, it appears that in fact, it is not.
> The fix for version 0.0.20120125 in testing does apply to 0.0.20091225
> in stable after some modifications, but:
> 1. it breaks some functionnality;
> 2. it is useless, because it is meant to cover a use case that did not
> exist at the time (the code to process the POST argument do=media fo
> the possible attack is only present in 0.0.20120125).
>
> So, sorry for my hesitation with this bug…
Thanks, I've updated the Debian security tracker.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
