Re: report on current state of sarge security

To: debian-release@lists.debian.org
Subject: Re: report on current state of sarge security
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 24 Nov 2004 17:29:13 +0100
Message-id: <[🔎] E1CX013-0001S0-UF@localhost.localdomain>
In-reply-to: <[🔎] 20041123201517.GA21860@kitenet.net>
References: <[🔎] 20041123201517.GA21860@kitenet.net>

In gmane.linux.debian.devel.release, you wrote:
> ppp 2.4.2+20040428-3 needed, have 2.4.2+20040428-2 for CAN-2004-1002
> 	Candidate for to be forced into testing, if the diff seems sane
> 	to RMs. If not we should backport only the security fix to t-p-u.

Users can only DoS their own connection, so it's not a security issue,
but only a creative way of terminating the connection. For details see
http://archives.neohapsis.com/archives/fulldisclosure/2004-11/0011.html

But the list is missing a minor vulnerability, that is still unfixed in
Sarge: Unsafe temp file generation in krb5 (#278271)

Cheers,
        Moritz

Reply to:

References:
- report on current state of sarge security
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: report on current state of sarge security
Next by Date: Re: report on current state of sarge security
Previous by thread: Re: report on current state of sarge security
Next by thread: Re: report on current state of sarge security
Index(es):
- Date
- Thread