Re: dist stable update for #496412
On Mon, Oct 20 2008, Nico Golde wrote:
> Hi,
> * Nico Golde <debian-release+ml@ngolde.de> [2008-10-07 14:50]:
>> Hi Manoj,
>> * Manoj Srivastava <srivasta@ieee.org> [2008-10-07 13:07]:
>> > On Sat, Oct 04 2008, Nico Golde wrote:
>> > > * Manoj Srivastava <srivasta@debian.org> [2008-10-04 16:39]:
>> > >> On the other hand, back-porting the fix will probably be pretty
>> > >> easy, though still a chore. Since this is an automatically generated
>> > >> request, I'd like the input of a human before I undertake the task --
>> > >> is this report, which was not deemed important enough to be called a
>> > >> security risk, Worth the effort? Will we release Lenny before the next
>> > >> point release?
>> > >
>> > > In my opinion yes. It's not that this is no security risk at
>> > > all, of course it is a security risk, it is tracked as low
>> > > in our security tracker. But the security team would be just
>> > > overloaded if we would release a DSA for every single tmp
>> > > race issue that was reported recently. I think back-porting
>> > > the fix is not that much work and the users of dist will be
>> > > thankful for that (even if there are only ~100).
>> >
>> > Well, uploaded a package for stable. I must say it was hard to
>> > resist adding the bug fixes that have happened since. I also no longer
>> > use arch, so the new source is missing masses of .arch-ids directories
>> > and, of course, {arch}.
>>
>> Thanks a lot for your work! Release team, can you approve
>> the package?
>
> Does anyone know what happened to the package?
I got this message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 06 Oct 2008 18:05:47 -0500
Source: dist
Binary: dist
Architecture: source all
Version: 3.70-31etch1
Distribution: stable
Urgency: high
Maintainer: Manoj Srivastava <srivasta@debian.org>
Changed-By: Manoj Srivastava <srivasta@debian.org>
Description:
dist - Tools for developing, maintaining and distributing software.
Changes:
dist (3.70-31etch1) stable; urgency=high
.
* Backport patches from the Lenny version to fix security issues. If a
script uses a temp file which is created in /tmp, then an attacker can
create symlink with the same name in this directory in order to
destroy or rewrite some system or user files. Symlink attack may also
lead not only to the data desctruction but to denial of service as
well. Creating files with rand or pid to randomize the file names is
not adequate to protect the system. We now use File::Temp to safely
create the temporary files as needed. This closes a grave bug. There
are no code changes in this version, apart from the bug fix. #496412.
Files:
494f8a1fa667cd8b2c14afbb2ab12a2d 590 devel optional dist_3.70-31etch1.dsc
3a7b82e6661fd1b686ed0fe04d9dc3fe 31345 devel optional dist_3.70-31etch1.diff.gz
5f56a5c8ad408f07d50320e951822f35 554194 devel optional dist_3.70-31etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkjqnMAACgkQIbrau78kQkxQ/wCgpEmN5eFwU8vnLte89bgzOkJx
+4AAoLqt+e+NNLoZ0Szmq3SSeufkwob7
=v6uz
-----END PGP SIGNATURE-----
Accepted:
dist_3.70-31etch1.diff.gz
to pool/main/d/dist/dist_3.70-31etch1.diff.gz
dist_3.70-31etch1.dsc
to pool/main/d/dist/dist_3.70-31etch1.dsc
dist_3.70-31etch1_all.deb
to pool/main/d/dist/dist_3.70-31etch1_all.deb
manoj
--
But a deed is well done if one does not suffer after doing it, if one
experiences the consequences smiling and contented. 68
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: