Hi. I received this from the debian security team:
> Hi, > the security issue was published for wdiff some time ago. > > | wdiff uses tmpnam(buf) to generate a temporary file, and fopen(buf, "w+") > that > | name, which is vulnerable to the usual symlink attack. It should use one of > | the tmpnam alternatives like tmpfile(). > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian stable. It does > not warrant a DSA. > > However it would be nice if this could get fixed via a regular point > update[0]. > Please contact the release team for this. > > This is Debian bug #425254. > > This is an automatically generated mail, in case you are already working on an > upgrade this is of course pointless. > > For further information: > [0] > http://www.debian.org/doc/developers-reference/ch-pkgs.en.html#s-upload-stable I'd like to upload a new wdiff for stable fixing this bug, if it's not too late to do so. Just to be sure: It would go to stable-proposed-updates, and it would be version 0.5-16etch1. Is this ok? BTW: Nico, the above URL does not currently work. Thanks. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
