Suggestions for handling of condor update
Hello all,
Your feedback on the condor update situation (described below) would be
appreciated.
Several weeks ago I prepared updates for condor for jessie (then-LTS),
stretch, and buster (the latter two still under the security team
ubmrella) to address CVE-2019-18823. The description of the fix is "an
information disclosure of authentication credentials could allow an
attacker to impersonate an authenticated user and perform actions as
that user."
I messaged the security team to seek counsel regarding the best way to
proceed with the update in stretch and buster with the intent of
resolving that question before proceeding with the jessie update. The
security team asked about what sort of testing had been performed. Not
being a user of condor my ability test the changes is limited, and since
the changes involve the authentication mechanisms, it would perhaps be
unwise to publish the update without some form of testing. Thus far I
have not taken further action.
One the one hand it seems a shame to discard the prepared update, but on
the other hand the security team's concern regarding potential
regressions is quite correct.
Does anyone have any specific suggestions? That is, is anyone able to
offer to test these packages or know someone who might be able to?
Apart from that, might there be an approach to minimize the possibility
of a regression?
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: