Re: Suggestions for handling of condor update

To: Roberto C. Sánchez <roberto@debian.org>, condor-debian@cs.wisc.edu, mih@debian.org, debian-lts@lists.debian.org
Subject: Re: Suggestions for handling of condor update
From: Tim Theisen <tim@cs.wisc.edu>
Date: Fri, 17 Jul 2020 19:45:33 -0500
Message-id: <[🔎] 34741160-3d7b-05ad-1607-17b6905bd716@cs.wisc.edu>
In-reply-to: <[🔎] 20200717201351.GF11023@connexer.com>
References: <[🔎] 20200712114440.GS17417@connexer.com> <[🔎] 20200717201351.GF11023@connexer.com>

Hello Roberto,

I have just returned from a two week canoe camping trip (no electricity,
no internet). I saw this bug report just as I left town. I will be able
to review your work next week.

I will have bit to catch up on Monday. I will take a look at this after
I catch up.

Thank you for putting in the time to address this issue. You will hear
from me again next week.

I should be able to review that the changes are correct and test on the
various distributions.

...Tim

On 7/17/20 3:13 PM, Roberto C. Sánchez wrote:
> Condor maintainers,
>
> Could you provide your thoughts/feedback on the below?
>
> Regards,
>
> -Roberto
>
> On Sun, Jul 12, 2020 at 07:44:40AM -0400, Roberto C. Sánchez wrote:
>> Hello all,
>>
>> Your feedback on the condor update situation (described below) would be
>> appreciated.
>>
>> Several weeks ago I prepared updates for condor for jessie (then-LTS),
>> stretch, and buster (the latter two still under the security team
>> ubmrella) to address CVE-2019-18823.  The description of the fix is "an
>> information disclosure of authentication credentials could allow an
>> attacker to impersonate an authenticated user and perform actions as
>> that user."
>>
>> I messaged the security team to seek counsel regarding the best way to
>> proceed with the update in stretch and buster with the intent of
>> resolving that question before proceeding with the jessie update.  The
>> security team asked about what sort of testing had been performed.  Not
>> being a user of condor my ability test the changes is limited, and since
>> the changes involve the authentication mechanisms, it would perhaps be
>> unwise to publish the update without some form of testing.  Thus far I
>> have not taken further action.
>>
>> One the one hand it seems a shame to discard the prepared update, but on
>> the other hand the security team's concern regarding potential
>> regressions is quite correct.
>>
>> Does anyone have any specific suggestions?  That is, is anyone able to
>> offer to test these packages or know someone who might be able to?
>> Apart from that, might there be an approach to minimize the possibility
>> of a regression?
>>
>> Regards,
>>
>> -Roberto
>>
>> -- 
>> Roberto C. Sánchez

-- 
Tim Theisen
Release Manager
HTCondor & Open Science Grid
Center for High Throughput Computing
Department of Computer Sciences
University of Wisconsin - Madison
4261 Computer Sciences and Statistics
1210 W Dayton St
Madison, WI 53706-1685
+1 608 265 5736

Reply to:

Follow-Ups:
- Re: Suggestions for handling of condor update
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- Suggestions for handling of condor update
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Suggestions for handling of condor update
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Suggestions for handling of condor update
Next by Date: Re: script to review no-dsa packages fixed in LTS-1 and TLS+1
Previous by thread: Re: Suggestions for handling of condor update
Next by thread: Re: Suggestions for handling of condor update
Index(es):
- Date
- Thread