Re: Pre-approval for shadow 1:4.1.1-6

To: debian-release@lists.debian.org
Cc: team@security.debian.org, pkg-shadow-devel@lists.alioth.debian.org
Subject: Re: Pre-approval for shadow 1:4.1.1-6
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 15 Nov 2008 01:43:30 +0100
Message-id: <8763mpyg25.fsf@mid.deneb.enyo.de>
In-reply-to: <20081114235918.GA16500@nekral.nekral.homelinux.net> ("Nicolas François"'s message of "Sat, 15 Nov 2008 00:59:18 +0100")
References: <20081114235918.GA16500@nekral.nekral.homelinux.net>

* Nicolas François:

> Release Managers, Security Team:
> Do you want 505071 to be fixed also for Lenny?

Do you mean "etch" instead of "lenny"?

We'd probably release a DSA once there's a patch which has some track
record, but as far as I can tell, the issue has not been fully
analyzed yet.  You guard against a symlink attack, but you don't seem
to ensure that the TTY name retrieved from the utmp file is correct in
the first place.

Reply to:

Follow-Ups:
- Re: Pre-approval for shadow 1:4.1.1-6
  - From: Nicolas François <nicolas.francois@centraliens.net>

References:
- Pre-approval for shadow 1:4.1.1-6
  - From: Nicolas François <nicolas.francois@centraliens.net>

Prev by Date: Wireshark unblock
Next by Date: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Previous by thread: Pre-approval for shadow 1:4.1.1-6
Next by thread: Re: Pre-approval for shadow 1:4.1.1-6
Index(es):
- Date
- Thread