[pkg-horde] CVE-2007-1515: imp4/etch not vulnerable

Gregory Colpart reg at evolix.fr
Mon Sep 24 10:31:10 UTC 2007

On Mon, Sep 24, 2007 at 12:01:07PM +0200, Thijs Kinkhorst wrote:
> On Mon, September 24, 2007 09:42, Gregory Colpart wrote:
> > I report that imp4/etch is *not* vulnerable for
> > CVE-2007-1515 (corrected in #415117). I add CVE-id to imp4's
> > changelog in our GNU Arch repository but I mention it here because no
> > upload is expected in next weeks.
> Thanks for letting us know. Could you briefly say why it's not vulnerable,
> e.g. the vulnerable code is not in that version, or some other reason?

You saw probably the answer of Nico Golde but I give you more
details here: a patch[*] for this issue was applied in imp4
4.1.3-4 (version currently in etch). This patch is a backport of
upstream security changes.

[*] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=22;filename=imp-XSS-fix.patch;att=1;bug=415117

Gregory Colpart <reg at evolix.fr>  GnuPG:1024D/C1027A0E
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/

More information about the pkg-horde-hackers mailing list