On Sat, 30 Jul 2005, Micah Anderson wrote: > On Tue, 05 Apr 2005, Joey Hess wrote: > > >> Jaakko, I was reminded that this bug has been open for 7 weeks with > >> no reaction. It's a minor and somewhat hypothetical security hole, > >> but we have a fix for it; do you plan to close the bug soon? > > > Uh, it got buried under other things. Yeah, the fix is trivial, but > > I won't have time to even look at it this week, so if you feel like, > > please NMU. If not, I'll ask Twin or someone to do it. > > This was back in April, you said you didn't have time that week, > almost three months have passed. Have you asked Twin to do it instead, > and this person neglected to follow-up on it as well?
Got buried under other things as this thing is not exploitable. > >> Btw, did someone inform upstream? There is no new upstream version, > >> and I at least could not find anything grepping the subject lines > >> of syslinux list archives.. > > >No, I didn't inform upstream, I figured you knew how to best pass it on > >to them. > > Have you informed upstream? Yes, and his answer: | It's not a security hole, since it would only be exploitable if you can | substitute libc, in which case you have root on the machine anyway. | | Might as well clean it up to keep the whiners quiet, though. | | -hpa --j -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]