On Tue, Dec 04, 2012 at 10:45:45PM +0100, Moritz Muehlenhoff wrote: > On Mon, Dec 03, 2012 at 12:00:18PM +0100, Alessandro Ghedini wrote: > > I opened a ticket upstream but it doesn't appear to be fixed. It's not > > clear if > > Debian is affected though: the CVE was published 6 days after the 1.1.0 > > release > > which partially reworked the hashing algorithms, but Debian currently has > > only > > the one-year-old 1.0.3 version (the sid version was reverted to 1.0.3 > > yesterday), which may not be affected. > > > > Though, if 1.0.3 is affected and if 1.1.0 is the fix (or if the fix is > > based on > > it) I don't think it would be suitable for a wheezy upload, since the > > reworked > > algorithms are not retrocompatible (see #694916). > > Given that there are no rdeps in Wheezy and cityhash hasn't been part of a > release it would make more sense to start with the reworked 1.1.0 version? > Even if it's late in the freeze.
I'd be ok with a removal from wheezy too. Still no news from upstream though. Cheers -- perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature