On Mon, 14 Dec 2009 19:58:54 +0100, Kurt Roeckx wrote: > I think you're both not understanding each other. > > As I understand it, Michael is saying that the patch for the > security issue is not applied to the package in Debian and > that upstream has fixed that for the next release. > > As I understand Francesco, there is no need to apply the patch > because it's using the full path of the module and so will > never look into the current directory for the module.
Thank you for interjecting Kurt. So based on Franseco's analysis, the package can be considered not affected; even though it still contains the vulnerable code. I did not give that statement enough due diligence initially since I found that the currently released 1.3.2c1 package still contained the vulnerable code. I apologize for that oversight. If Franseco's analysis is correct, then I agree that the bug should remain closed. However, I plan to open a new bug about the fact that embedded expat library is used rather than the system version; if that is OK? Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
