Bug#379174: [Pkg-shadow-devel] Re: Shadow security update for
CVE-2006-3378
Christian Perrier
bubulle at debian.org
Sun Jul 23 16:31:54 UTC 2006
Quoting Steve Kemp (skx at debian.org):
> On Sun, Jul 23, 2006 at 06:16:00PM +0200, Christian Perrier wrote:
> > Hello dear Security team (and ftpmasters, and shadow package maintainers),
> >
> > Being back from 2 days holiday I discover CVE-2006-3378 which has just
> > been revealed to our attention (#359174 in the BTS).
>
> I guess you mean #379174 here?
Yeah, sorry. The stress of discovering this after a quiet 2-days
week-end can explain, I think.
>
> > What I propose to you, as soon as we have a fix for CVE-2006-3378:
> >
> >
> > -urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
> > proposed-updates queue. Need ftpmasters collaboration with high urgency
> > -the security team, or the shadow package team, prepares
> > 4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
> > -the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
> > sends it to the proposed-updates queue so that it can be picked by the
> > SRM team when they're ready to update sarge
> >
>
> Sounds fine from the security point of view. Once a patch is
> available at least.
Waiting for it, yes.
The first key point is the ftpmaster action...It will make things
clearer and avoid a big mess.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20060723/8c1c22af/attachment-0001.pgp
More information about the Pkg-shadow-devel
mailing list