Hi Vincent, On Tue, Sep 03, 2013 at 09:01:03AM +0200, Vincent Bernat wrote: > ❦ 3 septembre 2013 08:51 CEST, Salvatore Bonaccorso <car...@debian.org> : > > >> > Please adjust the affected versions in the BTS as needed. At least > >> > 0.9.2 looks affected. > >> > >> Hi Salvatore! > >> > >> Previous versions are likely to be affected too. I will try to backport > >> the patches. For version in Jessie and unstable, I will just upload > >> 0.9.3. > > > > Thanks for your quick reply! From what I see about the vulnerability, > > I would say this does not warrant a DSA, as the exploitability seems > > to be limited to a user-assisted remote attacker. > > The exploit can be triggered by a user using a message as a template for > a new message. This seems far-fetched, so I agree. > > > Do you agree on that conclusion? If yes I will mark this in the > > security-tracker appropriately. Could you address in that case the > > updates trough a proposed-update instead? > > OK.
Thanks for confirming. I have marked it accordingly. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org