Comment 3 for bug 1506467

This bug was fixed in the package click - 0.4.38.5ubuntu0.2

---------------
click (0.4.38.5ubuntu0.2) vivid-security; urgency=medium

  * SECURITY UPDATE: fix privilege escalation via crafted data.tar.gz that
    can be used to install alternate security policy than what is defined
    - click/install.py: Forbid installing packages with data tarball members
      whose names do not start with "./". Patch thanks to Colin Watson.
    - CVE-2015-XXXX
    - LP: #1506467

 -- Jamie Strandboge <email address hidden> Thu, 15 Oct 2015 10:00:20 -0500