Hi Markus, thanks for you fixing this but now we're in the situation that this is fixed in LTS with a (actually quite complex) patch that has not been tested in unstable, which is rather unfortunate. On Thu, May 12, 2016 at 03:50:13PM +0000, dak@security.debian.org wrote: > Source: libuser > Version: 1:0.56.9.dfsg.1-1.2+deb7u1 > * CVE-2015-3246: > libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper > program in the usermode package, directly modifies /etc/passwd, which > allows local users to cause a denial of service (inconsistent file state) > by causing an error during the modification. This issue can be > combined with CVE-2015-3245 to gain privileges. > * See also https://bugs.debian.org/793465 for more information. this bug ^ do you plan to also fix it in unstable? (and jessie…?) I think there should be the general rule to always fix things in unstable first, even if this requires an NMU by the LTS team. I also thought we agreed on this previously, but I might be wrong here. We certainly discussed this before… -- cheers, Holger
Attachment:
signature.asc
Description: Digital signature