control: tags -1 buster-ignore Hi,
On Sun, Jan 22, 2017 at 10:47:32PM +0100, Ola Lundqvist wrote: > I started checking the CVEs for php-gettext and I'm not sure I follow > the information for CVE-2016-6175. > Maybe you have more data than I do. > > The vulnerability is that a malicous user that have permission to > craft .mo files in the target filesystem could execute any php code on > that system. > I find that a quite unlikely attack vector. Based on this I also think > the bug should have a different priority than grave. > > Or have I missed anything crucial? After a brief discussion on irc, and input from the security team, I'm marking this buster-ignore, on the understanding that php-gettext won't be in bullseye. "< jmm_> I'm fine with buster-ignoring it, but it should go away after buster" Thanks, Ivo
