I am looking at the CVEs in #742689. The URL listed http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt lists 7 problems, but claims that upstream 1.2.2p3 (in sid) fixed 5 of them. The remaining 2 are:
5) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands (CVE-2014-2330) 6) Multiple use of exec-like function calls which allow arbitrary commands (CVE-2014-2331) These CVE numbers appear to be reserved, but I can't find any details other than the brief mention in http://packetstormsecurity.com/files/125850/DTC-A-20140324-002.txt Most of the links on https://security-tracker.debian.org/tracker/CVE-2014-2330 https://security-tracker.debian.org/tracker/CVE-2014-2331 don't give any info, the RedHat link is for the full set of things and it's not clear to me if they fixed these explicitly. Maybe the brief descriptions on the packetstormsecurity will be enough for someone on the security team to determine if there is anything to be done. Thanks, -- Matt Taggart tagg...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org