On Fri, Nov 25, 2011 at 12:22:24PM +0100, Didier Raboud wrote: > Le vendredi, 25 novembre 2011 12.16:06, Didier Raboud a écrit : > > found 635549 3.10.6-2 > > notfound 635549 3.11.10 > > thanks > > > > Hi Moritz, > > > > Le mardi, 26 juillet 2011 23.07:01, Moritz Muehlenhoff a écrit : > > > Two security issues have been reported in hplip: > > > > > > 1. Shell command injection in foomatic-rip-hplip: > > > https://bugzilla.novell.com/show_bug.cgi?id=698451 > > > This is CVE-2011-2697 > > > > As far as I can see, the culprit file is foomatic-rip-hplip, which is only > > shipped in hplip-ppds, and only in stable; testing and unstable versions > > rely on the fixed foomatic-rip from the foomatic-filters package. > > Hmm. Wrong. > > usr/lib/cups/filter/foomatic-rip-hplip (supposedly culprit file) is already a > symlink to usr/lib/cups/filter/foomatic-rip in the stable package. So this > CVE > doesn't affect any version bigger than what is in stable
Confirmed. I've updated the security tracker. However, we still need to update foomatic-filters to secure Squeeze. Since you're also part of the maintainer group for foomatic-filters, could you investigate/ prepare fixed packages for these two issues in foomatic-filters? http://security-tracker.debian.org/tracker/CVE-2011-2697 http://security-tracker.debian.org/tracker/CVE-2011-2964 A side note for CVE-2011-2697: There two implementation of the affected filter: the version from foomatic-filters 4.0 is written in C and has been assigned CVE-2011-2964 and the version in foomatic-filters 3.x is written in Perl and has been assigned CVE-2011-2697 Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org