On Sat, May 02, 2009 at 06:53:44PM +0200, David Martínez Moreno wrote:
> El viernes, 1 de mayo 2009, Moritz Muehlenhoff escribió:
> > Package: memcached
> > Severity: important
> > Tags: security
> >
> > Please see this link for more information:
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1494
>
> Hello, Moritz. The binary version in stable shouldn't be vulnerable,
> as the
> advisory clearly specifies that the problem happens with multithreading
> enabled.
>
> For the unstable distribution, I'm just testing new packages.
>
> Anyway, the affected code is there for anybody who wants to rebuild the
> package with multithreading. What should I do, release a new package with
> that funtionality removed? I can supply the full diff for releasing
> 1.2.2-1.lenny1 if you want, but I'd like to know the Security Team official
> statement in this case.
Thanks. I don't think we need to fix this for stable, it's a minor issue and
sufficient if fixed for Squeeze. Custom-built source packages don't fall under
the Debian security support (with the exception of the Linux kernel).
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
