[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#303198: Bug#307784: pam-pgsql: CAN-2004-0366

> On Thu, May 05, 2005 at 03:41:13PM +0200, Primoz Bratanic wrote:
> > Package: pam-pgsql
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> > The problem reported in BUG#230875 and marked as fixed (NMU upload) was open
> > again. The changes have disappeared. Please see the patch attached to
> > Bug#230875 regarding sql injection problem with changing password (easy
> > impact would be changing uid to 0 ... root compromise).
> It looks like the upload that reverted these changes was a botched attempt at
> orphaning the package.  Bug #303198, however, is currently titled "RFA", not
> "O".  Joerg, was your intention here to continue maintaining pam-pgsql until
> someone else comes along to do so, or were you trying to orphan the package
> immediately so that you're no longer responsible for it?
> If it is indeed the maintainer's intention to orphan this package, I
> would recommend removing it from sarge on account of the progressive
> security issues.

I would be willing to fix and maintain the package if there is someone who would be willing to sponsor the upload.

Primoz Bratanic

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: