CVEs

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Sorry that this took so long.

I check the CVEs now and CVE-2013-4260 is not affecting 1.1.x as this is a problem with the ".retry" which is new feature in 1.2.

2013-4259 is pretty straightforward, I attached a patch.

2013-2233 is not straightforward at all, its essentially the diff between git tag v1.2 v1.2.1. There is no isolated diff or anything like this. I tried to isolate this, but I'm honestly not sure I was successful.

As it is it definitely needs some serious testing before it can go out to saucy-security. Pushing v1.2.3 out would be my prefered option TBH.

Fwiw, this seems to be what fedora also did (just update the package instead of backporting the patch(es)).

It is REALLY better to update the package to 1.4.

@anatoly: yeah, 1.4.3 (or 1.4.4 even) is much nicer - however the policy is to not upgrade to new versions for security-updates.

Backporting patches is the prefered way. However in this particular case the backport is kind of invasive so I was wondering if going to the 1.2.3 version (which is the version that has a fix for these 3 CVEs) might be a good compromise between the potential erroneous backport of the "smart" protocol fix for CVE-2013-2333 and a new version.

[Expired for ansible (Ubuntu) because there has been no activity for 60 days.]