Debian issued an security announcement
Arches, please go ahead (without 30 days delay)
Target alpha amd64 ppc ppc64 sparc x86
Arches, the package to stabilize is sys-power/nut-2.6.3.
alpha/sparc keywords dropped
The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3 as it is written in the title of this bug).
The actual version now is sys-power/nut-2.6.5 (which contains another important fix which is not related to security: "any upssched.conf command that takes a second argument resulted in a defective frame sent to the parent process. Thus, the command was not executed").
(In reply to comment #7)
> The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3)
Please ignore my previous comment. It's true that vulnerability is fixed in 2.6.4 upstream but the ebuild applies a patch to 2.6.3 in order to fix the vulnerability.
ppc64 stable, last arch done
Buffer overflow in the addchar function in common/parseconf.c in upsd in
Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute
arbitrary code or cause a denial of service (electric-power outage) via a
long string containing non-printable characters.
Filing a new GLSA request.
This issue was resolved and addressed in
GLSA 201209-19 at http://security.gentoo.org/glsa/glsa-201209-19.xml
by GLSA coordinator Sean Amoss (ackle).