On Thu, Mar 31, 2005 at 09:11:46AM +0200, Alberto Gonzalez Iniesta wrote: > On Wed, Mar 30, 2005 at 09:06:39PM -1000, Joey Hess wrote: > > Packages that are frozen: > > > > netkit-telnet 0.17-28 needed, have 0.17-26 for DSA-697-1 > > 0.17-27 consisted of misc other changes, but > > 0.17-28 only fixed the security hole (which is quite a bad one) > > > > 0.17-27 changes were trivial and mostly package cleaning. They shouldn't > be a problem. Here's the changelog: > > netkit-telnet (0.17-28) unstable; urgency=high > > * telnet/telnet.cc: Fixed buffer overflow in the handling of the > LINEMODE suboptions in telnet clients (CAN-2005-0469). > Thanks Martin 'Joey' Schulze for the patch. > > -- Alberto Gonzalez Iniesta <agi@inittab.org> Tue, 29 Mar 2005 11:10:01 +0200 > > netkit-telnet (0.17-27) unstable; urgency=low > > * New maintainer > * debian/control. Removed full stops from packages descriptions to shut > lintian up. > * Changed $HOME of telnetd user to /nonexistent. (Closes: #272312) > * debian/menu. Set full path to telnet in command field. > > -- Alberto Gonzalez Iniesta <agi@inittab.org> Sat, 12 Mar 2005 13:07:06 +0100 God damn it! I introduced a bug in 0.17-27, when changed the $HOME dir of telnetd to /nonexistent, since the postinst call to adduser created /nonexistent. The changes for 0.17-28 in the postinst are: - adduser --quiet --system --ingroup telnetd --home /nonexistent telnetd + adduser --quiet --no-create-home --disabled-password --system --ingroup telnetd --home /nonexistent telnetd - adduser --quiet --system --group --home /nonexistent telnetd + adduser --quiet --no-create-home --disabled-password --system --group --home /nonexistent telnetd Dear RMs, please consider *0.17-29* for sarge, as it contains the security fix, and the Brown Paper Bag fix for this bug. Sorry guys, Alberto The changelog entry: netkit-telnet (0.17-29) unstable; urgency=high * The 'Brown Paper Bag' release. * Don't create /nonexistent when adding telned user. (Closes: #302395) * urgency set to high since this has to go into sarge. -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
Attachment:
signature.asc
Description: Digital signature