Hi fellow Debian LTS and Debian Security memebers
When triaging the packages for LTS I looked into the package pcs. I saw that it was already added to DSA needed so I have added it to DLA needed as well. However when reading the correction for it I started to think that the vulnerability may not be in PCS itself, but rather in Thin::Backends::UnixServer::connect because the correction is to override that function with a more secure umask.
I agree that it is good to fix the pcs package, but shouldn't we fix the default umask in general?
I would argue that the default umask is insecure.
What do you think?
Cheers
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
---------------------------------------------------------------