[Gnu-arch-users] Emgergency release of tla-1.2.1pre1

[James Blackwell]

The version of libneon that is packaged with tla 1.2.0 contains a format
string vulnerability. For more information, visit the disclosure at
http://marc.theaimsgroup.com/?l=openpkg-announce&m=108213423102539&w=2 or
visit the libneon page at http://www.webdav.org/neon/. Tla users can be
affected if they download archives from untrusted sources. 

As such, I have put together tla-1.2.1pre1. This version of tla has
libneon .25.5 included. I have tested downloading with HTTP and WebDAV,
and they seem to work fine. Uploading with WebDAV has not been tested.

tla-1.2.1pre1 is available at
http://release.gnuarch.org/tla-1.2.1pre1.tar.gz. The detached signature 
can be found at http://release.gnuarch.org/tla-1.2.1pre1.tar.gz.asc.

I recommend that all people that download arch archives from untrusted 
locations upgrade to tla-1.2.1pre1 immediately.

For those that are used to building tla straight from the archive the
following steps may work for you: 

$ tla register-archive http://sourcecontrol.net/~jblack/{archives}/2004
$ tla get address@hidden/dists--jblack--1.1 tla-1.2.1pre1
$ cd tla-1.2.1pre1
$ tla buildcfg -r configs/devo.tla-1.2.1pre1
$ cd src
$ mkdir =build
$ cd =build
$ ../configure
$ make
$ su
[enter password]
# cp tla/tla/tla /usr/local/bin


Regards,

James Blackwell

-- 
James Blackwell          Please do not send me carbon copies of mailing
Smile more!              list posts. Such mail is unsolicited. Thank you!

GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D  247A 8A55 DA73 0635 7400

signature.asc
Description: Digital signature