Version in base suite: 0.5.7-1sarge1
Version in overlay suite: 0.5.7-1sarge2

Base version: backup-manager_0.5.7-1sarge1
Target version: backup-manager_0.5.7-1sarge2
Base file: /org/ftp.debian.org/ftp/pool/main/b/backup-manager/backup-manager_0.5.7-1sarge1.dsc
Target file: /org/ftp.debian.org/ftp/pool/main/b/backup-manager/backup-manager_0.5.7-1sarge2.dsc

diff -u backup-manager-0.5.7/debian/changelog backup-manager-0.5.7/debian/changelog
--- backup-manager-0.5.7/debian/changelog
+++ backup-manager-0.5.7/debian/changelog
@@ -1,3 +1,11 @@
+backup-manager (0.5.7-1sarge2) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the security team.
+  * Fix FTP password disclosure during FTP uploads, based on
+    maintainer-supplied patch. Closes: #439392. CVE-2007-4656
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Sat, 15 Mar 2008 22:30:05 +0100
+
 backup-manager (0.5.7-1sarge1) stable-security; urgency=high
 
   * dpatch code for handling patches in debian/rules, added a build-dependency on
only in patch2:
unchanged:
--- backup-manager-0.5.7.orig/debian/patches/03_security_CVE-2007-4656.dpatch
+++ backup-manager-0.5.7/debian/patches/03_security_CVE-2007-4656.dpatch
@@ -0,0 +1,38 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 03_security_CVE-2007-4656.dpatch by Thijs Kinkhorst <thijs@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Backport from unstable for closing the security issue (bug #439392)
+
+@DPATCH@
+diff -Nur backup-manager-0.5.7/backup-manager-upload backup-manager-0.5.7.new/backup-manager-upload
+--- backup-manager-0.5.7/backup-manager-upload	2004-12-06 18:26:07.000000000 +0100
++++ backup-manager-0.5.7.new/backup-manager-upload	2008-03-15 22:26:56.670208256 +0100
+@@ -356,8 +356,14 @@
+ }
+ 
+ if ($g_protocol eq 'ftp' and not defined $g_pass) {
+-	print $BackupManager::Config::usage, "\n";
+-	exit 1;
++	# try to read the password from the environment
++	if (defined $ENV{BM_UPLOAD_PASSWD}) {
++		$g_pass = $ENV{BM_UPLOAD_PASSWD};
++	}
++	else {
++		print $BackupManager::Config::usage, "\n";
++		exit 1;
++	}
+ }
+ 
+ # storing hosts on memory
+diff -Nur backup-manager-0.5.7/lib/actions.sh backup-manager-0.5.7.new/lib/actions.sh
+--- backup-manager-0.5.7/lib/actions.sh	2008-03-15 22:28:03.677620909 +0100
++++ backup-manager-0.5.7.new/lib/actions.sh	2008-03-15 22:23:18.942111423 +0100
+@@ -261,7 +261,6 @@
+ 			$bmu $v -m="$BM_UPLOAD_MODE" \
+ 				-h="$servers" \
+ 				-u="$BM_UPLOAD_USER" \
+-				-p="$BM_UPLOAD_PASSWD" \
+ 				-d="$BM_UPLOAD_DIR" \
+ 				-r="$BM_ARCHIVES_REPOSITORY" today || error "unable to call backup-manager-upload"
+ 		else