Hi Adam, On Tue, Jul 05, 2016 at 08:06:50AM +0200, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Mon, 2016-07-04 at 18:22 +0200, Simon Kainz wrote: > > Paul Wise found out that duck rund untrusted code from the current > > directory as > > well as the ./lib and ./lib/checks directory. The attached patch fixes this > > issue. > > +duck (0.7+deb8u1) jessie-security; urgency=high > > That contradicts this request to fix the issue via proposed-updates; > which is the case?
I confirm we wee in contact with Simon and decided to let this fix be proposed via a jessie point release. So the targetting distribution just needs to be adjusted (it is marked as well already in the security-tracker as no-dsa). The fix in unstable is in the 0.10 version uploaded yesterday. Regards, Salvatore
signature.asc
Description: PGP signature