Bug#559827: CVE-2009-3736 update

Michael Gilbert michael.s.gilbert at gmail.com
Sat Dec 12 23:07:00 UTC 2009


Hi all,

It has come to my attention that a lot of maintainers are simply adding
a build-depends on libltdl3-dev to try to solve this problem.  This is
not a sufficient solution since your package will still use the
embedded libtool code copy.  You need to add '--without-included-ltdl'
to your configure arguments to do this right.

A verification, but not really a sufficient proof, is that 
'ldd <your binaries>' shows that the system libtool is being used.

On another note, if your package is affected in either stable or
oldstable, it also must be fixed.  The security team has determined
that this issue is not sufficiently severe to warrant DSAs for the
embedding packages, so instead, you should coordinate a proposed-update
with the release team.

Once you have fixed the problem in unstable (or even before that if
you desire), please open new bugs for stable/oldstable to track the
problem there (if your package is affected).

Thank you for working on this issue.

Mike





More information about the Pkg-voip-maintainers mailing list