Hi, [I'm fairly new to this so please apply the cluebat gently.] [Please CC me on any replies as I'm not subscribed to this list.]
I don't think there is anything I need to do in response to the message below because: 1. Plait is not actually in Debian stable. 2. The packaging for the version currently in Testing/Unstable (1.5.2-2) includes a patch for this CVE. 3. Plait 1.6.2-1 is ready and awaiting a sponsor [1] Please let me know if I'm wrong and need to do more. Thanks, Dave. [1] http://lists.debian.org/debian-mentors/2008/09/msg00179.html On Thu, Oct 2, 2008 at 9:44 PM, Nico Golde <[EMAIL PROTECTED]> wrote:PS. The wording of this sentence in the email is a little awkward: "This is an automatically generated mail, in case you are already working on an upgrade this is of course pointless." Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for plait some time ago. > > CVE-2008-4085[0]: > | Plait before 1.6 allows local users to overwrite arbitrary files via a > | symlink attack on (1) cut.$$, (2) head.$$, (3) awk.$$, and (4) ps.$$ > | temporary files in /tmp/. > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian stable. It does > not warrant a DSA. > > However it would be nice if this could get fixed via a regular point > update[1]. > Please contact the release team for this. > > This is an automatically generated mail, in case you are already working on > an > upgrade this is of course pointless. > > For further information: > [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4085 > [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable > > Kind regards > Nico > > -- > Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF > For security reasons, all text in this mail is double-rot13 encrypted. > -- David Symons Armidale NSW Australia http://www.liberatedcomputing.net
