On Mon, Sep 24, 2007 at 12:01:07PM +0200, Thijs Kinkhorst wrote: > On Mon, September 24, 2007 09:42, Gregory Colpart wrote: > > I report that imp4/etch is *not* vulnerable for > > CVE-2007-1515 (corrected in #415117). I add CVE-id to imp4's > > changelog in our GNU Arch repository but I mention it here because no > > upload is expected in next weeks. > > Thanks for letting us know. Could you briefly say why it's not vulnerable, > e.g. the vulnerable code is not in that version, or some other reason?
You saw probably the answer of Nico Golde but I give you more details here: a patch[*] for this issue was applied in imp4 4.1.3-4 (version currently in etch). This patch is a backport of upstream security changes. [*] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=22;filename=imp-XSS-fix.patch;att=1;bug=415117 Regards, -- Gregory Colpart <[EMAIL PROTECTED]> GnuPG:1024D/C1027A0E Evolix - Informatique et Logiciels Libres http://www.evolix.fr/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
