[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Release-critical Bugreport for November 26, 1999

On 99-11-28 Herbert Xu wrote:
> Christian Kurz <shorty@debian.org> wrote:
> >
> >> Package: kernel-image-2.2.13 (main)
> >> Maintainer: Herbert Xu <herbert@debian.org>
> >>   49723  kernel: devpts module not installed by default
> >> [FIXED] Fixed package kernel-image-2.2.13-i386 is in Incoming

> > Herbert, has the new bug-fixing upload yet been done?

> Well, as the tag says, it's in Incoming.

Sorry, I must have overseen this tag while going through this list.

> >> Package: libc6 (main)
> >> Maintainer: Joel Klecker <debian-glibc@lists.debian.org>
> >>   21810  libc6: rexec call dumps core with user="string" and password=NULL

> > Need some more examination to find a solution, that doesn't open a
> > security hole.

> AFAIK, there aren't any security implications here if the strategy is to
> copy the libc5 behaviour (my preference).

This would be a possible solution, but is a good solution? I just looked
through the emails in the BTS about this issue and think that Joey
(M.Schulze) made a good suggestion how rexec should behave. What about
this suggestion? Could this be adopted and implemented?

* Christian Kurz                          Debian Developer/QA-Team *
*               Use Debian - a free Operating System               *

Reply to: