I forgot to reference this bug in the changelog of the previously attached debdiff. Here's a debdiff that references this bug.
** Patch added: "elfutils_0.160-0ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+attachment/4304581/+files/elfutils_0.160-0ubuntu3.debdiff ** Patch removed: "elfutils_0.160-0ubuntu3.debdiff" https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+attachment/4304563/+files/elfutils_0.160-0ubuntu3.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to elfutils in Ubuntu. https://bugs.launchpad.net/bugs/1414206 Title: elfutils in Vivid is vulnerable to CVE-2014-9447 Status in elfutils package in Ubuntu: Confirmed Bug description: elfutils 0.160-0ubuntu2 has not been patched for CVE-2014-9447. I've released updates for the stable Ubuntu releases but need a sponsor for uploading to Vivid. The vulnerability involves crafted ar archives causing a directory traversal attack. Files in the root directory can be written if a process, with write access to the root directory, uses libelf1 to extract a malicious ar archive. More info can be found in our CVE tracker: http://people.canonical.com/~ubuntu- security/cve/2014/CVE-2014-9447.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elfutils/+bug/1414206/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp