Thanks for the heads-up. Yes, it appears the 2003 change was not sufficiently
paranoid about ".." in member names. Luckily, the tar manual still documents the
pre-2003 behavior, so we can restore that behavior as a simple bug fix. I
installed the attached patch into Savannah as one way to do
Hi all,
(Debian maintainers, Debian security teams and upstream bug mailing list
in CC.)
I have added notes regarding the "/../" mismatch security issue in the
security tracker here:
https://security-tracker.debian.org/tracker/CVE-2016-6321
Basically, there's a proof of concept here:
On Sun, Oct 23, 2016 at 08:59:47AM +0100, Chris Lamb wrote:
> Hello dear maintainer(s),
>
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of sendmail:
> https://security-tracker.debian.org/tracker/source-package/sendmail
>
> Would you
Hi,
On Thu, Oct 27, 2016 at 02:36:33PM -0400, Antoine Beaupré wrote:
> On 2016-10-21 06:27:07, Guido Günther wrote:
> > On Fri, Oct 21, 2016 at 11:14:24AM +0100, Chris Lamb wrote:
>
> [... nice template ... although maybe not CC the list?]
>
> > I'd just use bin/report-vuln ?
>
> Did you start
On Fri, 28 Oct 2016 14:05:25 +0200 Salvatore Bonaccorso wrote:
> Hi
>
> I now have uploaded the version (see previously sent debdiff) to
> security master and will release the regression update once all archs
> have build the packages.
Hello,
I have just tested the new revision