Re: Suggestions for handling of condor update
Condor maintainers,
Could you provide your thoughts/feedback on the below?
Regards,
-Roberto
On Sun, Jul 12, 2020 at 07:44:40AM -0400, Roberto C. Sánchez wrote:
> Hello all,
>
> Your feedback on the condor update situation (described below) would be
> appreciated.
>
> Several weeks ago I prepared updates for condor for jessie (then-LTS),
> stretch, and buster (the latter two still under the security team
> ubmrella) to address CVE-2019-18823. The description of the fix is "an
> information disclosure of authentication credentials could allow an
> attacker to impersonate an authenticated user and perform actions as
> that user."
>
> I messaged the security team to seek counsel regarding the best way to
> proceed with the update in stretch and buster with the intent of
> resolving that question before proceeding with the jessie update. The
> security team asked about what sort of testing had been performed. Not
> being a user of condor my ability test the changes is limited, and since
> the changes involve the authentication mechanisms, it would perhaps be
> unwise to publish the update without some form of testing. Thus far I
> have not taken further action.
>
> One the one hand it seems a shame to discard the prepared update, but on
> the other hand the security team's concern regarding potential
> regressions is quite correct.
>
> Does anyone have any specific suggestions? That is, is anyone able to
> offer to test these packages or know someone who might be able to?
> Apart from that, might there be an approach to minimize the possibility
> of a regression?
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
--
Roberto C. Sánchez
Reply to: