[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#303198: Bug#307784: pam-pgsql: CAN-2004-0366

On Thu, May 05, 2005 at 03:41:13PM +0200, Primoz Bratanic wrote:
> Package: pam-pgsql
> Severity: critical
> Tags: security
> Justification: root security hole

> The problem reported in BUG#230875 and marked as fixed (NMU upload) was open
> again. The changes have disappeared. Please see the patch attached to
> Bug#230875 regarding sql injection problem with changing password (easy
> impact would be changing uid to 0 ... root compromise).

It looks like the upload that reverted these changes was a botched attempt at
orphaning the package.  Bug #303198, however, is currently titled "RFA", not
"O".  Joerg, was your intention here to continue maintaining pam-pgsql until
someone else comes along to do so, or were you trying to orphan the package
immediately so that you're no longer responsible for it?

If it is indeed the maintainer's intention to orphan this package, I
would recommend removing it from sarge on account of the progressive
security issues.

Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature

Reply to: