Re: suggestions for packages to force to testing for security fixes

To: debian-release@lists.debian.org
Subject: Re: suggestions for packages to force to testing for security fixes
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Thu, 31 Mar 2005 18:58:01 +0200
Message-id: <[🔎] 20050331165800.GJ2139@var.inittab.org>
Mail-followup-to: debian-release@lists.debian.org
In-reply-to: <[🔎] 20050331071145.GB2139@var.inittab.org>
References: <[🔎] 20050331070639.GA18891@kitenet.net> <[🔎] 20050331071145.GB2139@var.inittab.org>

On Thu, Mar 31, 2005 at 09:11:46AM +0200, Alberto Gonzalez Iniesta wrote:
> On Wed, Mar 30, 2005 at 09:06:39PM -1000, Joey Hess wrote:
> > Packages that are frozen:
> > 
> > netkit-telnet 0.17-28 needed, have 0.17-26 for DSA-697-1
> > 	0.17-27 consisted of misc other changes, but
> > 	0.17-28 only fixed the security hole (which is quite a bad one)
> > 
> 
> 0.17-27 changes were trivial and mostly package cleaning. They shouldn't
> be a problem. Here's the changelog:
> 
> netkit-telnet (0.17-28) unstable; urgency=high
> 
>   * telnet/telnet.cc: Fixed buffer overflow in the handling of the
>     LINEMODE suboptions in telnet clients (CAN-2005-0469).
>     Thanks Martin 'Joey' Schulze for the patch.
> 
>  -- Alberto Gonzalez Iniesta <agi@inittab.org>  Tue, 29 Mar 2005 11:10:01 +0200
> 
> netkit-telnet (0.17-27) unstable; urgency=low
> 
>   * New maintainer
>   * debian/control. Removed full stops from packages descriptions to shut
>     lintian up.
>   * Changed $HOME of telnetd user to /nonexistent. (Closes: #272312)
>   * debian/menu. Set full path to telnet in command field.
> 
>  -- Alberto Gonzalez Iniesta <agi@inittab.org>  Sat, 12 Mar 2005 13:07:06 +0100

God damn it! 

I introduced a bug in 0.17-27, when changed the $HOME dir of telnetd to
/nonexistent, since the postinst call to adduser created /nonexistent.

The changes for 0.17-28 in the postinst are:

- adduser --quiet --system --ingroup telnetd --home /nonexistent telnetd
+ adduser --quiet --no-create-home --disabled-password --system --ingroup telnetd --home /nonexistent telnetd
- adduser --quiet --system --group --home /nonexistent telnetd
+ adduser --quiet --no-create-home --disabled-password --system --group --home /nonexistent telnetd


Dear RMs, please consider *0.17-29* for sarge, as it contains the security fix,
and the Brown Paper Bag fix for this bug. Sorry guys,

Alberto


The changelog entry:

netkit-telnet (0.17-29) unstable; urgency=high
 
  * The 'Brown Paper Bag' release.
  * Don't create /nonexistent when adding telned user. (Closes: #302395)
  * urgency set to high since this has to go into sarge.





--
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- suggestions for packages to force to testing for security fixes
  - From: Joey Hess <joeyh@debian.org>
- Re: suggestions for packages to force to testing for security fixes
  - From: Alberto Gonzalez Iniesta <agi@inittab.org>

Prev by Date: hotplug, netbase, ppp
Next by Date: Re: lablgtk2 and misbehaved hppa/ia64 autobuilders.
Previous by thread: Re: suggestions for packages to force to testing for security fixes
Next by thread: Re: suggestions for packages to force to testing for security fixes
Index(es):
- Date
- Thread