Hi Steve, On Thu, May 05, 2005 at 01:57:15PM -0700, Steve Langasek wrote: > On Thu, May 05, 2005 at 03:41:13PM +0200, Primoz Bratanic wrote: > > Package: pam-pgsql > > Severity: critical > > Tags: security > > Justification: root security hole > > > The problem reported in BUG#230875 and marked as fixed (NMU upload) was open > > again. The changes have disappeared. Please see the patch attached to > > Bug#230875 regarding sql injection problem with changing password (easy > > impact would be changing uid to 0 ... root compromise). > > It looks like the upload that reverted these changes was a botched attempt at > orphaning the package. Bug #303198, however, is currently titled "RFA", not > "O". Joerg, was your intention here to continue maintaining pam-pgsql until > someone else comes along to do so, or were you trying to orphan the package > immediately so that you're no longer responsible for it? It looks like you are right. I indeed wanted to orphan the package and made a stupid mistake during the upload of the orphaned package. > If it is indeed the maintainer's intention to orphan this package, I > would recommend removing it from sarge on account of the progressive > security issues. That'd be alright, since nobody (including me) seems to be interested in this package, anyway. Joerg -- Joerg "joergland" Wendland | http://www.wendlandnet.de/joerg/ GPG: 51CF8417 FP: 79C0 7671 AFC7 315E 657A F318 57A3 7FBD 51CF 8417
Attachment:
signature.asc
Description: Digital signature