Hi Axel, On Fri, Jul 26, 2013 at 03:42:13PM +0200, Axel Beckert wrote: > Anyway, at least Debian's default config is based on that file and > hence IMO not remotely vulnerable with its default configuration.
Agreed (also after checking the wheezy package). Would still be good to patch (or updating to new upstream version when possible) for the missing basename call, making hobbit also safe against the remove deletion vulnerability in non-default setups (and possibly trough a proposed-update for stable and oldstable). Possibly also for stable and oldstable through a proposed-updates. Regards, Salvatore -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

