Comment 5 for bug 844743

Julian, thanks for the patches!

Hardy: ACK

With Lucid - Natty, there are a few problems though:
 * Lucid and Maverick have the same version, which is not allowed for upgrade reasons. Lucid should have 0.9.6-0ubuntu2.1.10.04.1 and Maverick should have 0.9.6-0ubuntu2.1.10.10.1
 * Lucid and Maverick use the dpatch patch system, but your patches are inline. These need to be converted to dpatch.
 * Natty's patch is named 0004-Backported-unescaped-shell-command-fixes-from-master.patch but in the series file it comes after 0005-0007. It should be named 0008-Backported-unescaped-shell-command-fixes-from-master.patch
 * Natty's changelog should reference this git commit: https://github.com/fabaff/bcfg2/commit/46795ae451ca6ede55a0edeb726978aef4684b53
 * The natty patch does not remove 'self.AddEntry(hostkey)' and 'self.AddEntry(".".join([hostkey.split('.')[0]]+['pub', "H_%s" % client]))', but upstream's does. This seems harmless just looking at the patch, but I wonder why you did that.

I verified the Lucid and Maverick patches against Debian's (ie and our Hardy version), but have not tested them.

In the interest of time due to the severity of this vulnerability, I have made these changes and uploaded to the security PPA.