-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Mon, 06 Oct 2008 18:05:47 -0500 Source: dist Binary: dist Architecture: source all Version: 3.70-31etch1 Distribution: stable Urgency: high Maintainer: Manoj Srivastava <srivasta@debian.org> Changed-By: Manoj Srivastava <srivasta@debian.org> Description: dist - Tools for developing, maintaining and distributing software. Changes: dist (3.70-31etch1) stable; urgency=high . * Backport patches from the Lenny version to fix security issues. If a script uses a temp file which is created in /tmp, then an attacker can create symlink with the same name in this directory in order to destroy or rewrite some system or user files. Symlink attack may also lead not only to the data desctruction but to denial of service as well. Creating files with rand or pid to randomize the file names is not adequate to protect the system. We now use File::Temp to safely create the temporary files as needed. This closes a grave bug. There are no code changes in this version, apart from the bug fix. #496412. Files: 494f8a1fa667cd8b2c14afbb2ab12a2d 590 devel optional dist_3.70-31etch1.dsc 3a7b82e6661fd1b686ed0fe04d9dc3fe 31345 devel optional dist_3.70-31etch1.diff.gz 5f56a5c8ad408f07d50320e951822f35 554194 devel optional dist_3.70-31etch1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjqnMAACgkQIbrau78kQkxQ/wCgpEmN5eFwU8vnLte89bgzOkJx +4AAoLqt+e+NNLoZ0Szmq3SSeufkwob7 =v6uz -----END PGP SIGNATURE----- Accepted: dist_3.70-31etch1.diff.gz to pool/main/d/dist/dist_3.70-31etch1.diff.gz dist_3.70-31etch1.dsc to pool/main/d/dist/dist_3.70-31etch1.dsc dist_3.70-31etch1_all.deb to pool/main/d/dist/dist_3.70-31etch1_all.deb