[Yum-devel] yum 3.0.6 released
Michael E Brown
Michael_E_Brown at dell.com
Wed Apr 11 02:06:39 UTC 2007
On Tue, Apr 10, 2007 at 08:39:25PM -0400, Jeremy Katz wrote:
> On Tue, 2007-04-10 at 20:20 -0400, seth vidal wrote:
> > On Wed, 2007-04-11 at 00:43 +0200, Hans-Peter Jansen wrote:
> > > Am Dienstag, 10. April 2007 07:19 schrieb seth vidal:
> > > > Tarball:
> > > > http://linux.duke.edu/yum/download/3.0/yum-3.0.6.tar.gz
> > >
> > > Any specific reason, why the tarball contains all those CVS dirs, or just
> > > escaped your notice?
> > >
> > It doesn't contain anymore than any other release of yum has. or do you
> > mean in general, why do we leave the CVS dirs in place? and if so I'd
> > say you might have a point. :)
>
> In fact, what about the following to add a 'make dist' target that does
> an export off of the tag for the release?
This patch creates a /tmp file vulnerability for anybody making a build,
where attacker can overrite arbitraary files owned by the person running
the build.
--
Michael
More information about the Yum-devel
mailing list