[Pkg-shadow-devel] Pre-approval for shadow 1:4.1.1-6

Florian Weimer fw at deneb.enyo.de
Sat Nov 15 00:43:30 UTC 2008

* Nicolas François:

> Release Managers, Security Team:
> Do you want 505071 to be fixed also for Lenny?

Do you mean "etch" instead of "lenny"?

We'd probably release a DSA once there's a patch which has some track
record, but as far as I can tell, the issue has not been fully
analyzed yet.  You guard against a symlink attack, but you don't seem
to ensure that the TTY name retrieved from the utmp file is correct in
the first place.

More information about the Pkg-shadow-devel mailing list