[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

"Security" fix for shadow in sarge (#356939)

Mail exchange between the security team and I a few weeks ago about
a shadow update aimed at fixing the potential leak of sensitive
information (Bug 356939):

">" is Joey Schulze
"> >" was me

> There's an updated shadow package in the security queue, and I
> remember asking for help with this issue, but didn't get a response.
> > We would like to know now whether we need to do something or if the
> > case is safely in your hands.
> No, it's not safe.  I'm also totally out of the issue at the moment
> and don't remember any details.
> > A fixed version of the package is quietly waiting on my HD if needed.
> The same as attached or a different one?

(Joey Schulze did attach a diff file, which happened to be the same
than mine...so we confirmed we were talking about the same fix)

So, it is the same. 

The problems remains. We have two packages dealing with the same
issue for different situations. base-config has been processed through
proposed-updates....while shadow is waiting in the security team

In short, (Joey Hess own words) the shadow/passwd fix is needed to fix
already installed systems on upgrade now, while the base-config fix is
needed to secure systems installed after the passwd package is
accepted into the next stable point release.

The best really seems to be uploading the new shadow in
proposed-updates as well and have both processed the same way so that
the next stable release update contains the fixed packages.

Moreover, if we only process shadow through security while base-config
which addresses the same problem is not, we cannot write the security
announcement because the new installations made with the sarge
installer would still have the problem even with the new shadow.

So, the best option is actually to drop the current shadow in the
security team queue while shadow is being processed through
proposed-updates, synced with base-config.

As a consequence, I hereby ask the security team to DROP the processing
of the 4.0.3-31sarge6 version you have.

Stable release team: I'm building a fixed shadow and will upload it to
proposed-updates. It should be included in the next stable update
along with base-config

PS: I'm actually not happy of the way we handled this, "we" being the
shadow package maintenance team and especially myself. I should have
worried earlier. Thanks to Frans Pop who kept nagging me about this,
leading to a final discussion on IRC convincing me to change and
upload to p-u. Apologies to others. I certainly have still a lot to
learn when it comes at stable updates and security updates.

Attachment: signature.asc
Description: Digital signature

Reply to: