Re: apt-get gets base-passwd from fr? could be a security problem?

To: debian-user@lists.debian.org
Cc: JOAQUIN CARABALLO MORENO <a2204@dis.ulpgc.es>
Subject: Re: apt-get gets base-passwd from fr? could be a security problem?
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 28 Apr 2003 03:33:02 +0100
Message-id: <[🔎] 20030428023302.GB8136@riva.ucam.org>
Mail-followup-to: debian-user@lists.debian.org, JOAQUIN CARABALLO MORENO <a2204@dis.ulpgc.es>
In-reply-to: <[🔎] Pine.SGI.3.96.1030428014555.254042A-100000@serdis.dis.ulpgc.es>
References: <[🔎] Pine.SGI.3.96.1030428014555.254042A-100000@serdis.dis.ulpgc.es>

On Mon, Apr 28, 2003 at 02:06:42AM +0000, JOAQUIN CARABALLO MORENO wrote:
> In my last apt-get update ; apt-get upgrade from
> http://ftp.fr.debian.org packages base-config and net-something were
> downloaded and upgraded.  It sounds a bit strange to me because I
> thought such a package (base-config, at least) should be provided by 
> http://security.debian.org/ instead.  Besides, five minutes after my
> system was hanged.

base-config and base-passwd (I'm not sure which you mean - your message
says one but your subject line says another) are both normal Debian
packages and are worked on like any other. security.debian.org doesn't
provide different types of packages; it provides different types of
*changes*, but to the same packages.

I'm the base-passwd maintainer. I know it was upgraded in testing
recently, but it wasn't a particularly significant upgrade, and it's
certainly nothing that would crash your system. Here's the changelog
between the previous and current versions in testing:

base-passwd (3.5.3) unstable; urgency=low

  * The noautoadd flag has been broken since 3.2.0: update-passwd was
    looking at the wrong id. Fortunately, since noautoadd entries aren't in
    the master files, this didn't matter except that it caused a segfault on
    empty system files (closes: #189196).

 -- Colin Watson <cjwatson@debian.org>  Wed, 16 Apr 2003 13:44:55 +0100

base-passwd (3.5.2) unstable; urgency=low

  * Fix groff problems, mainly the use of "-", throughout update-passwd(8).
    I've attempted to keep the Polish translation in step.
  * Allocate static uid/gid 64020 for asterisk (Jeff Noxon).
  * Update Standards-Version: to 3.5.9.

 -- Colin Watson <cjwatson@debian.org>  Sat, 12 Apr 2003 15:14:49 +0100

With the subversion package installed and using the bash shell, this
will print the complete diff, if you want to verify it:

  svn diff http://riva.ucam.org/svn/cjwatson/src/debian/base-passwd/tags/base-passwd-{3.5.1,3.5.3}

I think a much better place to look for suspects would be your system
logs in /var/log.

Cheers,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

References:
- apt-get gets base-passwd from fr? could be a security problem?
  - From: JOAQUIN CARABALLO MORENO <a2204@dis.ulpgc.es>

Prev by Date: Re: karamba
Next by Date: Re: Speaking of logging in as root...
Previous by thread: apt-get gets base-passwd from fr? could be a security problem?
Next by thread: Re: apt-get gets base-passwd from fr? could be a security problem?
Index(es):
- Date
- Thread