Re: List of bugs that *must* be fixed before releasing Slink
> Previously Brian White wrote:
> > apache 32204 user directories allow symlinks to other files [0] (Johnie Ingram <johnie@debian.org>)
>
> We should just force SymLinksIfOwnerMatch for /home to solve this.
You know, I don't see this as "grave". It means that a user can
effectively "export to the world" any file readable by www-data. In
general, this means only things that can be read by public. So,
the user can't intentionally export anything that he/she couldn't already
do by other means.
The problem comes with unintentional exports... Well, it's a bug. I
don't see it as being a security hole. Thoughts?
> > dpkg 28817 dpkg takes no care over libdpkg [87] (Ian Jackson and others <dpkg-maint@chiark.greenend.org.uk>)
>
> It's important but I wouldn't call this one release-critical.
I looked at that one time, but I wasn't sure. Is it possible that during
an upgrade to "stable" we get dpkg and dpkglib to be out-of-step?
> > dpkg 30891 dpkg: Patch for update-alternatives to fix jdk problems [40] (Ian Jackson and others <dpkg-maint@chiark.greenend.org.uk>)
> > dpkg-dev 31508 parsechangelog broken? [22] (Ian Jackson and others <dpkg-maint@chiark.greenend.org.uk>)
>
> I fixed these two in 1.4.0.33. I didn't close the bugs because I still
> need to fix them for the dpkg in potato.
You can downgrade them if you wish.
> > fileutils 31717 fileutils: 'mv regularfile symlink' problems [17] (Galen Hazelwood <galenh@micron.net>)
>
> Only in potato; looks like Brian forgot to add this one to his
> exclusion-list again
Oops. Done.
> > ftp.debian.org 32364 ftp.debian.org: please remove filters from stable/frozen [0] (Guy Maor <ftpmaster@debian.org>)
>
> filters is no longer in frozen, so this can be excluded as well.
Done. Excludes list is now:
1797,20401,25405,25537,27381,27604,27738,27641,30087,
30184,31717,31806,32092,32364
> > general 28850 gettext: security problem when used in setuid programs [0] (debian-devel@lists.debian.org)
>
> Everyone who has a package with a setuid program or something that runs
> as root should check if it uses gettext, and if so recompile it with
> the latest gettext installed. Please not that this is not necessary for
> programs that use the gettext from libc6.
That needs to be re-filed against all those packages, then.
Brian
( bcwhite@pobox.com )
-------------------------------------------------------------------------------
You can't talk yourself out of problems you behave yourself into.
Reply to: