Jakub Wilk reported a directory traversal flaw in uupdate that "can trick uupdate into patching files outside the source package directory". A patch is not yet available.
Further details and a reproducer are available from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737160
CVE request: http://www.openwall.com/lists/oss-security/2014/01/31/7
Created devscripts tracking bugs for this issue:
Affects: fedora-20 [bug 1059948]
devscripts-2.14.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
devscripts-2.14.10-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.