Bug#776646: unblock: fex/20150120-2
Control: tags -1 moreinfo
Hi,
On Fri, Jan 30, 2015 at 03:15:05PM +0100, Kilian Krause wrote:
> Version 20150120-2 fixes a security race condition where the cleanup
> script would delete a state of a freshly registered user (if
> registration is allowed) granting full user privileges instead of
> restricted ones (if so configured).
>
> Also the version 20150120-2 fixes that the fex-utils by default don't
> connect to SSLv3 any more (and other SSL parameters are configurable).
>
> Attached is the (quite large) diff against the version in testing
> (20140917-2) which however has multiple copies of the same update (in
> every cli client) and does contain upstreams new copy of the cli tools
> in htdocs/download (as well as 3 scripts that upstream needs yet we
> don't ship in the deb). Stripping the diff down to what we need gives
> more or less this:
[...]
> 50 files changed, 3001 insertions(+), 1169 deletions(-)
This change is obviously not appropriate at this stage in the freeze. If you
can come up with a targeted fix for this issue in the next few days, we might
be able to allow that. Otherwise, we will have to remove fex from jessie
(probably before the auto-removal deadline).
Cheers,
Ivo
Reply to: