On Tuesday 19 February 2008 19:20:23 Nico Golde wrote: > * Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:08]: > > I've just notice that the security tracker > > http://security-tracker.debian.net/tracker/status/release/unstable has > > been updated for festival. However it is wrong. This bug *is* remotely > > exploitable (due to the afore mentioned lack of ACLs). > > Sure it is :) The remote exploitability status isn't set > manually by us. This is extracted automatically from the NVD > text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which > doesn't mention the word 'remote'. I think that's the > reason. Patches welcome :)
Okay, so the CVE entry is wrong (which probably explains why it wasn't correctly resolved by the maintainers when it was first looked at). It probably also needs rewording since SuSE confirmed it affected them and I think we agree it affects Debian. How do we go about doing that - is that something for you guys or do I need to get involved? Also, since we have a working patch for the issue on mentors what happens now. Can it go through as NMU? What about the backport to stable and testing? Tim -- Tim Brown <mailto:[EMAIL PROTECTED]> <http://www.nth-dimension.org.uk/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
