On Fri, 2011-11-25 at 14:58 +0100, Didier Raboud wrote:
> after taking a closer look to #635549 and an IRC chat with the Security
> people, I propose to upload hplip to stable with the following changelog
> entry:
>
> hplip (3.10.6-2+squeeze0) stable; urgency=low
Why "+squeeze0"? +squeeze1 is more conventional.
> * Fix CVE-2011-2722 "Insecure tempfile handling" by patching the culprit
> code out. (Closes: #635549)
I'm assuming the debug code isn't likely to be used that often? The
upstream bug (<URL:https://bugs.launchpad.net/hplip/+bug/809904>)
implies that they were looking at replacing the code with a mkstemp()
call, rather than removing it. If it's basically unused then patching
it out should be okay though.
fwiw, my MUA failed to verify the signature on your mail.
Regards,
Adam
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive:
http://lists.debian.org/[email protected]
