http://security-tracker.debian.org/tracker/CVE-2012-2944 Debian issued an security announcement http://lists.debian.org/debian-security-announce/2012/msg00120.html
Arches, please go ahead (without 30 days delay) Target alpha amd64 ppc ppc64 sparc x86 Thanks
Arches, the package to stabilize is sys-power/nut-2.6.3.
amd64 stable
ppc stable
x86 stable
alpha/sparc keywords dropped
The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3 as it is written in the title of this bug). The actual version now is sys-power/nut-2.6.5 (which contains another important fix which is not related to security: "any upssched.conf command that takes a second argument resulted in a defective frame sent to the parent process. Thus, the command was not executed").
(In reply to comment #7) > The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3) Please ignore my previous comment. It's true that vulnerability is fixed in 2.6.4 upstream but the ebuild applies a patch to 2.6.3 in order to fix the vulnerability.
ppc64 stable, last arch done
CVE-2012-2944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2944): Buffer overflow in the addchar function in common/parseconf.c in upsd in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (electric-power outage) via a long string containing non-printable characters.
Thanks, everyone. Filing a new GLSA request.
This issue was resolved and addressed in GLSA 201209-19 at http://security.gentoo.org/glsa/glsa-201209-19.xml by GLSA coordinator Sean Amoss (ackle).