On 23 May 2013 16:16, Jakub Wilk <jw...@debian.org> wrote: > * Jakub Wilk <jw...@debian.org>, 2013-05-20, 17:18: >> >> * Henri Salo <he...@nerv.fi>, 2013-05-16, 16:03: >>> >>> CVE request: http://www.openwall.com/lists/oss-security/2013/05/15/6 >>> Upstream: http://bugs.python.org/issue17980 >> >> >> Unfortunately, we have quite a few embedded copies of this code. :( > > > I've found a few more...
Fix applied upstream and will therefore be in the next release: https://github.com/0install/0install/commit/0c5b21d47b6007ac764430638a476418688bce16 I think this is very low risk for 0install: it means that an attacker with a valid but badly formed X.509 certificate could prevent a user from installing new software, as long as the attacker can intercept and modify the user's network communications. But in that case they could prevent the user from downloading anything anyway. Thanks, -- Dr Thomas Leonard http://0install.net/ GPG: 9242 9807 C985 3C07 44A6 8B9A AE07 8280 59A5 3CC1 GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org