bug#17532: read all responses; va down, can't check bug status
Hi...
I had been talking to Guy on irc a coupla times, and he let me know he'd work
on the bug. It's been a few days, and today I tried to check the current
status but it seems www.debian.org is down. Checking another mirror revealed a
bug archive that was aproximately 60-70 days old, so couldn't check to see if
Guy closed this bug on that archive. Could someone check on the latest known
archive? The last thing that I knew of, was bcwhite changed the status of the
bug from "critical" to "normal" without making changes to the package itself
to affect a corresponding change in functionality or notifying me, even
automatically (I added a polite request to be so notified in the bug report;
judging by the lack of any response, I'm not sure the report was even read or
checked to determine if, in fact, the bug does exist before making this
change.)
If the critical-to-normal change is the last thing to have happened, I am
asking permission to upgrade the severity to grave; I am asking also that the
bug be listed as a security bug for some of the following reasons:
Let me make sure I understand the situation: If this bug can prevent all
logins and is caused by a buffer overrun situation in login which causes same
to segfault, this is a security bug. True? If there are more buffer overrun
potentialities in the shadow password suite, presently used by debian to
authenticate users, then these too are security bugs waiting to be located.
True?
Our particular situation:
As it happens, the group file is used to place students in groups named by
classes. If it doesn't work, this particular bug will wholly corrupt the group
database at or near the point when the group line length reaches the
critical-mass point of 1024 chars; this can affect a student's grade.
Admittedly, there is nothing I saw in policy to cover such a situation,
however I see nothing at all wrong with saying that this adds support to the
claim that this is a bug involving security issues, and whether as such or
not, is a situation which can at best be described as grave.
To Guy Maor:
Please let me know if I can help by testing new patches. We now have a machine
which is being used to experiment with the unstable side of debian. At the
moment, it is also a local mirror for frozen, and as such is tracking it. I'd
be quite happy to test what you have or even to do some coding as time
permits. I am well aware that you inherited some of the 1024-byte situation;
parts of it have existed since well before 0.93, and maybe even before debian
existed at all.
-Jim
--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: