Colin Watson <[EMAIL PROTECTED]> writes: > On Sat, Sep 28, 2002 at 06:33:18AM -0500, Debian Bug Tracking System wrote: > > cgiemail (1.6-15) unstable; urgency=low > > . > > * QA upload. > > * Null-terminate templatedir, and make sure it really does get checked > > (closes: #160813). > > Sorry, this should have been urgency=high. > > I think a stable-security upload will be needed as well. Here's the > relevant part of the diff I used: [...]
While you're at it, please make sure cgiemail doesn't accept templates when there is no /etc/cgiemail.conf. As it is, the vulnerability is still open between unpacking and configuration. Also, I think cgiemail.pod lacks the structure and the style of a man page, and makes us look really lazy. :-) Bug#6302, the reason it was written, was submitted back when the binaries were in /usr/bin; since the user doesn't invoke them directly, we can do without it. BTW, the postrm should remove /etc/cgiemail.conf. Thanks, Matej
