Hi Nicolas, * Nicolas Boullis <[EMAIL PROTECTED]> [2008-01-22 00:40]: > On Sun, Jan 20, 2008 at 02:31:39PM +0100, Nico Golde wrote: [...] > > Unfortunately the vulnerability described above is not important enough > > to get it fixed via regular security update in Debian stable. It does > > not warrant a DSA. > > > > However it would be nice if this could get fixed via a regular point > > update[1]. > > Please contact the release team for this. > > I don't think an update is needed. The issue only affects the cd-info > and iso-info programs, that were not part of any binary package package > before 0.78.2-1. (Etch has 0.76-1.) Hence, only the source package is > affected (that is anyone who builds the programs from the source > package). Is it something we should support?
Thanks for pointing this out. We did not check the package before the decision to not update libcdio via a stable update. Since the binaries are not affected and the attack vector for this specific vulnerability is quite small I think we could live with that in the sources. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp1HVuBSxdTY.pgp
Description: PGP signature
