In gmane.linux.debian.devel.release, you wrote: > ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002 > Candidate for to be forced into testing, if the diff seems sane > to RMs. If not we should backport only the security fix to t-p-u.
Users can only DoS their own connection, so it's not a security issue, but only a creative way of terminating the connection. For details see http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0011.html But the list is missing a minor vulnerability, that is still unfixed in Sarge: Unsafe temp file generation in krb5 (#278271) Cheers, Moritz
