[Pkg-shadow-devel] Bug#356939: "Security" fix for shadow in sarge
(#356939)
Christian Perrier
bubulle at debian.org
Sat Jul 8 05:19:30 UTC 2006
Mail exchange between the security team and I a few weeks ago about
a shadow update aimed at fixing the potential leak of sensitive
information (Bug 356939):
">" is Joey Schulze
"> >" was me
> There's an updated shadow package in the security queue, and I
> remember asking for help with this issue, but didn't get a response.
>
> > We would like to know now whether we need to do something or if the
> > case is safely in your hands.
>
> No, it's not safe. I'm also totally out of the issue at the moment
> and don't remember any details.
>
> > A fixed version of the package is quietly waiting on my HD if needed.
>
> The same as attached or a different one?
(Joey Schulze did attach a diff file, which happened to be the same
than mine...so we confirmed we were talking about the same fix)
So, it is the same.
The problems remains. We have two packages dealing with the same
issue for different situations. base-config has been processed through
proposed-updates....while shadow is waiting in the security team
queue....
In short, (Joey Hess own words) the shadow/passwd fix is needed to fix
already installed systems on upgrade now, while the base-config fix is
needed to secure systems installed after the passwd package is
accepted into the next stable point release.
The best really seems to be uploading the new shadow in
proposed-updates as well and have both processed the same way so that
the next stable release update contains the fixed packages.
Moreover, if we only process shadow through security while base-config
which addresses the same problem is not, we cannot write the security
announcement because the new installations made with the sarge
installer would still have the problem even with the new shadow.
So, the best option is actually to drop the current shadow in the
security team queue while shadow is being processed through
proposed-updates, synced with base-config.
As a consequence, I hereby ask the security team to DROP the processing
of the 4.0.3-31sarge6 version you have.
Stable release team: I'm building a fixed shadow and will upload it to
proposed-updates. It should be included in the next stable update
along with base-config 2.53.10.1
PS: I'm actually not happy of the way we handled this, "we" being the
shadow package maintenance team and especially myself. I should have
worried earlier. Thanks to Frans Pop who kept nagging me about this,
leading to a final discussion on IRC convincing me to change and
upload to p-u. Apologies to others. I certainly have still a lot to
learn when it comes at stable updates and security updates.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20060708/a7209143/attachment.pgp
More information about the Pkg-shadow-devel
mailing list