[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#757555: pam: CVE-2014-2583 pam_timestamp directory traversal issues

On Sat, Aug 09, 2014 at 06:19:00AM -0400, Michael Gilbert wrote:
> package: src:pam
> severity: important
> version: 1.1.3-7
> tags: security

> Multiple directory traversal issues have been fixed in pam_timestap:
> https://security-tracker.debian.org/tracker/CVE-2014-2583

Which according to elsewhere in my mailbox, you've dealt with by uploading a
10-day delayed NMU.  This is unacceptable.  The NMU process always requires
that you send your NMU diff to the BTS for review by the maintainer *first*.
When doing a delayed NMU, it's reasonable to send this diff to the BTS at
the same time.  Here, you have failed to send this NMU diff at all, and the
only notification has been an easily-overlooked mail from the ftp-master
queue software.

Maintainers should not have to go grubbing around in the delayed queue to
find out what's been uploaded.  The NMUer is responsible for sending the NMU
diff to the maintainer.

I have removed pam_1.1.3-8.1_amd64.changes from the delayed queue.  If you
have changes that you would like to see included in this package, please
send them to the BTS where they belong.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: