Previously Michael Stone wrote: > > perl-suid 31904 [B.A.McCauley@BHAM.AC.UK: Secuity hole with perl (suidperl) and nosuid mounts on Linux] [13] (Darren Stalder <torin@daft.com>) > > I'm not sure there's much we can do about this one--it's a library (kernel?) > problem. Perhaps a note in the postinst that the 'nosuid' mount option won't > work, and a suggestion that care be taken with user-mountable media? What perl-suid should do is check the mountoptions for the filesystem on which the script resides and abort if that was mounted with nosuid. Should be quite simple actually.. > Ok. So what we have are various packages that need to have (apparantly) simple > changes uploaded (e.g., dependencies changed or provided patch added.) There's > dpkg, which is probably never going to be done. :( And there's ftp.debian and > nonus, which are dependent on their respective administrators. > Then there are some things that actually need to be looked at: 28850 says that > any suid static-linked gettext program needs to be checked. We need a way to > address 31904. 32485 needs someone to write a patch. > Someone needs to figure out whats wrong with java (32548.) Somebody already figured that out IIRC, but a fix should be uploaded. > And xxgdb is toasted (32206.) Am I missing anything? I think somebody said xxgdb works for him.. > (I.e., what's holding up slink beyond these few items?) Nothing I hope :) > Is a postinst message sufficient to downgrade 31904 (and can someone > take care of that?) I'll complain loudly if someone downgrades that. > I'll look at 32485 unless someone has a patch ready. I fail to see why 32485 is release-critical.. there are probably lots of other programs that also don't work with MD5 passwords. Do I hear somebody saying PAM? Wichert. -- ============================================================================== This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: wakkerma@cs.leidenuniv.nl WWW: http://www.wi.leidenuniv.nl/~wichert/
Attachment:
pgpHYcasZjXAh.pgp
Description: PGP signature