On Sat, May 02, 2009 at 06:53:44PM +0200, David Martínez Moreno wrote: > El viernes, 1 de mayo 2009, Moritz Muehlenhoff escribió: > > Package: memcached > > Severity: important > > Tags: security > > > > Please see this link for more information: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1494 > > Hello, Moritz. The binary version in stable shouldn't be vulnerable, > as the > advisory clearly specifies that the problem happens with multithreading > enabled. > > For the unstable distribution, I'm just testing new packages. > > Anyway, the affected code is there for anybody who wants to rebuild the > package with multithreading. What should I do, release a new package with > that funtionality removed? I can supply the full diff for releasing > 1.2.2-1.lenny1 if you want, but I'd like to know the Security Team official > statement in this case.
Thanks. I don't think we need to fix this for stable, it's a minor issue and sufficient if fixed for Squeeze. Custom-built source packages don't fall under the Debian security support (with the exception of the Linux kernel). Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org