[Secure-testing-team] [Secure-testing-commits] r13486 - in data: . CVE
Michael Gilbert
michael.s.gilbert at gmail.com
Tue Dec 8 15:50:23 UTC 2009
On Mon, 7 Dec 2009 23:16:05 +0000, Moritz Muehlenhoff wrote:
> Modified: data/embedded-code-copies
> ===================================================================
> --- data/embedded-code-copies 2009-12-07 23:07:04 UTC (rev 13485)
> +++ data/embedded-code-copies 2009-12-07 23:16:05 UTC (rev 13486)
> @@ -1523,7 +1523,8 @@
> - courier-authlib <unfixed> (embed)
> - cvsnt <unfixed> (embed)
> - dico <unfixed> (embed)
> - - freeradius <unfixed> (embed)
> + - freeradius 0.1+20010527-1 (embed)
> + NOTE: Earliest reference I could find from the changelog is from 27 May 2001
there was previous discussion that checking against changelog entries
was insufficient [0]. has this direction changed? if so, i could have
avoided submitting a lot of these libtool bugs by simply checking that
the package depends on libltdl and has a changelog entry saying that is
the case, but i don't think that would have been considered sufficient.
i am expecting maintainers to actually double-check their linking
process to verify that they are not pulling in the embedded code. is
that asking too much?
mike
More information about the Secure-testing-team
mailing list