[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suggestions for handling of condor update

On Mon, Jul 13, 2020 at 10:13:34AM +0200, Sylvain Beucler wrote:
> Hi Roberto,
> On 12/07/2020 13:44, Roberto C. Sánchez wrote:
> > Your feedback on the condor update situation (described below) would be
> > appreciated.
> > 
> > Several weeks ago I prepared updates for condor for jessie (then-LTS),
> > stretch, and buster (the latter two still under the security team
> > ubmrella) to address CVE-2019-18823.  The description of the fix is "an
> > information disclosure of authentication credentials could allow an
> > attacker to impersonate an authenticated user and perform actions as
> > that user."
> > 
> > I messaged the security team to seek counsel regarding the best way to
> > proceed with the update in stretch and buster with the intent of
> > resolving that question before proceeding with the jessie update.  The
> > security team asked about what sort of testing had been performed.  Not
> > being a user of condor my ability test the changes is limited, and since
> > the changes involve the authentication mechanisms, it would perhaps be
> > unwise to publish the update without some form of testing.  Thus far I
> > have not taken further action.
> > 
> > One the one hand it seems a shame to discard the prepared update, but on
> > the other hand the security team's concern regarding potential
> > regressions is quite correct.
> > 
> > Does anyone have any specific suggestions?  That is, is anyone able to
> > offer to test these packages or know someone who might be able to?
> > Apart from that, might there be an approach to minimize the possibility
> > of a regression?
> If not already, I would suggest contacting the Debian package
> maintainers since this isn't fixed in unstable yet.
> They can also give more pointers.
That is an excellent suggestion.  It had not even crossed my mind.



Roberto C. Sánchez

Reply to: