[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: List of bugs that *must* be fixed before releasing Slink

> Previously Brian White wrote:
> > apache            32204  user directories allow symlinks to other files [0]  (Johnie Ingram <johnie@debian.org>)
> 
> We should just force SymLinksIfOwnerMatch for /home to solve this.

You know, I don't see this as "grave".  It means that a user can
effectively "export to the world" any file readable by www-data.  In
general, this means only things that can be read by public.  So,
the user can't intentionally export anything that he/she couldn't already
do by other means.

The problem comes with unintentional exports...  Well, it's a bug.  I
don't see it as being a security hole.  Thoughts?


> > dpkg              28817  dpkg takes no care over libdpkg [87]  (Ian Jackson and others <dpkg-maint@chiark.greenend.org.uk>)
> 
> It's important but I wouldn't call this one release-critical.

I looked at that one time, but I wasn't sure.  Is it possible that during
an upgrade to "stable" we get dpkg and dpkglib to be out-of-step?



> > dpkg              30891  dpkg: Patch for update-alternatives to fix jdk problems [40]  (Ian Jackson and others <dpkg-maint@chiark.greenend.org.uk>)
> > dpkg-dev          31508  parsechangelog broken? [22]  (Ian Jackson and others <dpkg-maint@chiark.greenend.org.uk>)
> 
> I fixed these two in 1.4.0.33. I didn't close the bugs because I still
> need to fix them for the dpkg in potato.

You can downgrade them if you wish.


> > fileutils         31717  fileutils: 'mv regularfile symlink' problems [17]  (Galen Hazelwood <galenh@micron.net>)
> 
> Only in potato; looks like Brian forgot to add this one to his
> exclusion-list again

Oops.  Done.


> > ftp.debian.org    32364  ftp.debian.org: please remove filters from stable/frozen [0]  (Guy Maor <ftpmaster@debian.org>)
> 
> filters is no longer in frozen, so this can be excluded as well.

Done.  Excludes list is now:

	1797,20401,25405,25537,27381,27604,27738,27641,30087,
	30184,31717,31806,32092,32364


> > general           28850  gettext: security problem when used in setuid programs [0]  (debian-devel@lists.debian.org)
> 
> Everyone who has a package with a setuid program or something that runs
> as root should check if it uses gettext, and if so recompile it with
> the latest gettext installed. Please not that this is not necessary for
> programs that use the gettext from libc6.

That needs to be re-filed against all those packages, then.

                                          Brian
                                  ( bcwhite@pobox.com )

-------------------------------------------------------------------------------
       You can't talk yourself out of problems you behave yourself into.
Reply to: