Nico Golde <[EMAIL PROTECTED]> wrote: Hi,
> This was marked as a security flaw with low impact in the > security tracker by me. So this is no "please upload as fast > as possible" bug but I think the patch won't hurt. The patch doesn't fix anything but makes it easier to do the check in its simplest form in the config file. This is not a vulnerability, it's not even a flaw because having the two URIs mismatch is allowed by the standard and happens in some setups for valid reasons. There's no hole in OpenSER itself; depending on the user setup, checking the URIs can be required or not, so it's entirely a config issue from there on. I don't consider this a security issue as far as Debian is concerned and I recommend not issuing a DSA for this. I feel issuing a DSA for this issue could potentially mislead our users, letting them think the update handles the problem when it doesn't. So if you agree with this, I'm just going to leave this bug open and I'll close it with the OpenSER 1.3 upload in december. JB. -- Julien BLACHE <[EMAIL PROTECTED]> | Debian, because code matters more Debian & GNU/Linux Developer | <http://www.debian.org> Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

