In internal testing, I discovered a long-standing logic bug in remctl (a
client/server system for remote Kerberos-authenticated command execution)
that would cause the server to treat a non-existant ACL file as
authorization success, allowing any authenticated user to execute the
command supposedly protected by that missing ACL file.
In normal operation, all the ACL files referred to in the remctld
configuration obviously exist, but given how easy of a mistake this is to
make, I think this warrants a security update to the version in etch. The
version in stable is not affected.
I've just now uploaded 2.2-3 packages with the minimal fix (the current
upstream version is 2.6) with urgency high. Attached is a diff. Assuming
that it builds properly on all arches, could you unblock?