[Pkg-blender-maintainers] CVE-2007-1253: Eval injection
vulnerability in kmz_ImportWithMesh.py
Cyril Brulebois
cyril.brulebois at enst-bretagne.fr
Wed Mar 14 10:38:47 CET 2007
Florian Ernst <florian_ernst at gmx.net> (14/03/2007):
> CVE-2007-1253 apparently is addressed in 2.43. However, Etch will ship
> with 2.42a, so will this issue warrant another update? I.e., is anyone
> working on this?
At first glance, that will be quite easy. The fix in 2.43 is... the
removal of the affected script, which should be backportable easily. I'm
going to prepare the needed fix to (I guess) debian/rules or such to
remove it from the installed files, and get back to developers reference
since it is the first time I have to deal with a security bug.
I think that we could also include another change: update the copyright
file to solve #407917. When it pop'd up (as RC before vorlon downgrades
it), I asked the RM and that kind of change was said to be OK for
inclusion (kind of documentation bug, so NP).
And maybe, the documentation (NEWS, README) about the 64-bit stuff,
so that our users are informed of possible incompatibilities with later
releases (for the 64-bit users)?
Of course, I'll keep you posted and ask for review.
Cheers,
--
Cyril Brulebois
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-blender-maintainers/attachments/20070314/cfd5b04d/attachment.pgp
More information about the Pkg-blender-maintainers
mailing list