Hi Tim, * Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:57]: > On Tuesday 19 February 2008 19:20:23 Nico Golde wrote: > > > * Tim Brown <[EMAIL PROTECTED]> [2008-02-19 20:08]: > > > I've just notice that the security tracker > > > http://security-tracker.debian.net/tracker/status/release/unstable has > > > been updated for festival. However it is wrong. This bug *is* remotely > > > exploitable (due to the afore mentioned lack of ACLs). > > > > Sure it is :) The remote exploitability status isn't set > > manually by us. This is extracted automatically from the NVD > > text http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4074 which > > doesn't mention the word 'remote'. I think that's the > > reason. Patches welcome :) > > Okay, so the CVE entry is wrong (which probably explains why it wasn't > correctly resolved by the maintainers when it was first looked at).
Maybe it's also the Access Vector: string, not sure. Florian Weimer knows the details. > It > probably also needs rewording since SuSE confirmed it affected them and I > think we agree it affects Debian. How do we go about doing that - is that > something for you guys or do I need to get involved? I see your point, I will contact mitre to update the CVE id or to assign a new one. > Also, since we have a working patch for the issue on mentors what happens > now. > Can it go through as NMU? The maintainer already uploaded a fixed version to unstable so no need for that. An NMU is only needed if the maintainer can't do an upload himself. > What about the backport to stable and testing? The package should migrate to testing in two days. If it has problems on migration we may do a testing security upload for this. For stable please contact. Referring to our svn the stable security did not release a DSA for CVE-2007-4074 because it was a minor issue. If you think this should get fixed in stable please contact [EMAIL PROTECTED] I guess they will happily release a DSA if someone comes up and provides a fixed stable package that just works. If not, the maintainer still has a high chance to get this fixed via a regular point update. For this please contact the release team. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgphOu1LUlfsj.pgp
Description: PGP signature
