Hi Alvaro, On Friday 6 June 2008 00:27, Alvaro Herrera wrote: > I see that there isn't a fix for Debian for this bug: > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1475 > http://sourceforge.net/tracker/index.php?func=detail&aid=1907211&group_id=3 >1577&atid=402788 > > Apparently, the Debian version is thus vulnerable.
Thank you for this report. The version in Debian stable is not vulnerable because the code was introduced in 1.4.0. However, the version in testing/sid has the most recent changelog entry predating the report of the security bug you mention and I see no other evidence that it has indeed been fixed, so I've marked it as unfixed in our tracker and it will hopefully be dealt with soon. cheers, Thijs
pgpMjJKm2ssD7.pgp
Description: PGP signature