Previously Brian White wrote: > You know, I don't see this as "grave". It means that a user can > effectively "export to the world" any file readable by www-data. In > general, this means only things that can be read by public. So, > the user can't intentionally export anything that he/she couldn't already > do by other means. But there is a big difference between the local public that you might trust and the big evil world outside your system.. I see two solutions two this: enforce SymLinksIfOwnerMatch or don't allow userdirs. > The problem comes with unintentional exports... Well, it's a bug. I > don't see it as being a security hole. You only hide information but don't disable any security issues, so it is indeed not a real security hole in the canonical sense of the term. > > It's important but I wouldn't call this one release-critical. > > I looked at that one time, but I wasn't sure. Is it possible that during > an upgrade to "stable" we get dpkg and dpkglib to be out-of-step? I don't think so; when dpkg upgrades itself and replaces the library it still has the old library opened via a mmap() which means it won't suddenly start using another incompatible library. This becomes a real issue only when the library is split into its own package and the two are upgraded independantly. > Done. Excludes list is now: > 1797,20401,25405,25537,27381,27604,27738,27641,30087, > 30184,31717,31806,32092,32364 I have a couple less, but then again I removed contrib and non-free from the list when the deep-freeze started. > > Everyone who has a package with a setuid program or something that runs > > as root should check if it uses gettext, and if so recompile it with > > the latest gettext installed. Please not that this is not necessary for > > programs that use the gettext from libc6. > > That needs to be re-filed against all those packages, then. Yes, but the problem is getting a list of all those packages.. Wichert. -- ============================================================================== This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: wakkerma@cs.leidenuniv.nl WWW: http://www.wi.leidenuniv.nl/~wichert/
Attachment:
pgpeWURmhRlSo.pgp
Description: PGP signature