On Thu, May 05, 2005 at 03:41:13PM +0200, Primoz Bratanic wrote: > Package: pam-pgsql > Severity: critical > Tags: security > Justification: root security hole > The problem reported in BUG#230875 and marked as fixed (NMU upload) was open > again. The changes have disappeared. Please see the patch attached to > Bug#230875 regarding sql injection problem with changing password (easy > impact would be changing uid to 0 ... root compromise). It looks like the upload that reverted these changes was a botched attempt at orphaning the package. Bug #303198, however, is currently titled "RFA", not "O". Joerg, was your intention here to continue maintaining pam-pgsql until someone else comes along to do so, or were you trying to orphan the package immediately so that you're no longer responsible for it? If it is indeed the maintainer's intention to orphan this package, I would recommend removing it from sarge on account of the progressive security issues. Thanks, -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature