[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Vulnerability in pcs or is it in more generic code?

Hi fellow Debian LTS and Debian Security memebers

When triaging the packages for LTS I looked into the package pcs. I saw that it was already added to DSA needed so I have added it to DLA needed as well. However when reading the correction for it I started to think that the vulnerability may not be in PCS itself, but rather in Thin::Backends::UnixServer::connect because the correction is to override that function with a more secure umask.

I agree that it is good to fix the pcs package, but shouldn't we fix the default umask in general?
I would argue that the default umask is insecure.

What do you think?


// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: