forwarded 694999 http://code.google.com/p/cityhash/issues/detail?id=10 kthxbye
On Mon, Dec 03, 2012 at 08:22:47AM +0100, Moritz Muehlenhoff wrote: > Package: cityhash > Severity: grave > Tags: security > Justification: user security hole > > Hi, Hi, > please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6051 > > I'm not sure if/when this was fixed upstream, so better contact upstream. I opened a ticket upstream but it doesn't appear to be fixed. It's not clear if Debian is affected though: the CVE was published 6 days after the 1.1.0 release which partially reworked the hashing algorithms, but Debian currently has only the one-year-old 1.0.3 version (the sid version was reverted to 1.0.3 yesterday), which may not be affected. Though, if 1.0.3 is affected and if 1.1.0 is the fix (or if the fix is based on it) I don't think it would be suitable for a wheezy upload, since the reworked algorithms are not retrocompatible (see #694916). Cheers -- perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature