Mail exchange between the security team and I a few weeks ago about a shadow update aimed at fixing the potential leak of sensitive information (Bug 356939): ">" is Joey Schulze "> >" was me > There's an updated shadow package in the security queue, and I > remember asking for help with this issue, but didn't get a response. > > > We would like to know now whether we need to do something or if the > > case is safely in your hands. > > No, it's not safe. I'm also totally out of the issue at the moment > and don't remember any details. > > > A fixed version of the package is quietly waiting on my HD if needed. > > The same as attached or a different one? (Joey Schulze did attach a diff file, which happened to be the same than mine...so we confirmed we were talking about the same fix) So, it is the same. The problems remains. We have two packages dealing with the same issue for different situations. base-config has been processed through proposed-updates....while shadow is waiting in the security team queue.... In short, (Joey Hess own words) the shadow/passwd fix is needed to fix already installed systems on upgrade now, while the base-config fix is needed to secure systems installed after the passwd package is accepted into the next stable point release. The best really seems to be uploading the new shadow in proposed-updates as well and have both processed the same way so that the next stable release update contains the fixed packages. Moreover, if we only process shadow through security while base-config which addresses the same problem is not, we cannot write the security announcement because the new installations made with the sarge installer would still have the problem even with the new shadow. So, the best option is actually to drop the current shadow in the security team queue while shadow is being processed through proposed-updates, synced with base-config. As a consequence, I hereby ask the security team to DROP the processing of the 4.0.3-31sarge6 version you have. Stable release team: I'm building a fixed shadow and will upload it to proposed-updates. It should be included in the next stable update along with base-config 2.53.10.1 PS: I'm actually not happy of the way we handled this, "we" being the shadow package maintenance team and especially myself. I should have worried earlier. Thanks to Frans Pop who kept nagging me about this, leading to a final discussion on IRC convincing me to change and upload to p-u. Apologies to others. I certainly have still a lot to learn when it comes at stable updates and security updates.
Attachment:
signature.asc
Description: Digital signature