[Pkg-openmpi-maintainers] Bug#559836: Bug#559836: CVE-2009-3736 local privilege escalation

Luk Claes luk at debian.org
Tue Dec 8 06:41:21 UTC 2009


Manuel Prinz wrote:
> Hi Michael!
> 
> Am Montag, den 07.12.2009, 00:06 -0500 schrieb Michael Gilbert:
>> The following CVE (Common Vulnerabilities & Exposures) id was
>> published for libtool.  I have determined that this package embeds a
>> vulnerable copy of the libtool source code.  However, since this is a
>> mass bug filing (due to so many packages embedding libtool), I have not
>> had time to determine whether the vulnerable code is actually present
>> in any of the binary packages. Please determine whether this is the
>> case. If the binary packages are not affected, please feel free to close
>> the bug with a message containing the details of what you did to check.
> 
> AIUI, only the versions in squeeze and sid (identical) are affected. We
> did not have static library support in the versions in etch and lenny,
> so there are no .la files contained in the packages and they therefore
> should not be vulnerable.
> 
> I'm preparing a fix at the moment, which I can upload soon. I'd like to
> know with which priority to upload, and where. The ST suggests urgency
> of "medium", but I'm unsure which queue to use. As I understand dev-ref,
> an upload to ftp-master should suffice since {old,}stable is not
> affected. (Sorry, first CVE…)

As only sid and squeeze are affected, uploading with medium urgency to
unstable should be enough.

Cheers

Luk






More information about the Pkg-openmpi-maintainers mailing list