On Wed, Oct 21, 1998 at 10:30:33AM +0200, Michael Meskes wrote: > On Wed, Oct 21, 1998 at 02:42:28AM -0000, rcw@rcw.oz.net wrote: > > Kevin Dalley fixed findutils 4.1-30 *more than a month ago* > > to not use '-s /bin/sh'. Not that he updated bug #26827, but we'll overlook > > that :) > > Thanks for pointing that out. It is really important IMO to see that > secure-su does not break any essantial package. Hrrrrm, a issue for -policy, should it be required for one to make a note to a bug report when you drowngrade it stating WHY it was downgraded? Looking at the log it seems that it WAS downgraded from critical to grave but without any note as to why, thus the fact that findutils was fixed went unnoticed.. However, I WOULD like to see some way to do a quick audit of packages which use su, any takers? > > > All that has to be done is have secure-su fixed to Conflict: with findutils > > 4.1-29, the only version released with '-s /bin/sh'. > > Agreed. I'd say keep it important for now, as its handling of the -s flag is quite horrid.. :/ Zephaniah E, Hull.. > > Michael > -- > Dr. Michael Meskes | Th.-Heuss-Str. 61, D-41812 Erkelenz | Go SF49ers! > Senior-Consultant | business: Michael.Meskes@mummert.de | Go Rhein Fire! > Mummert+Partner | private: Michael.Meskes@usa.net | Use Debian > Unternehmensberatung AG | Michael.Meskes@gmx.net | GNU/Linux! > > > -- > To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org >
Attachment:
pgpnvFRojJI9X.pgp
Description: PGP signature