[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#303198: Bug#307784: pam-pgsql: CAN-2004-0366

Hi Steve,

On Thu, May 05, 2005 at 01:57:15PM -0700, Steve Langasek wrote:
> On Thu, May 05, 2005 at 03:41:13PM +0200, Primoz Bratanic wrote:
> > Package: pam-pgsql
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> > The problem reported in BUG#230875 and marked as fixed (NMU upload) was open
> > again. The changes have disappeared. Please see the patch attached to
> > Bug#230875 regarding sql injection problem with changing password (easy
> > impact would be changing uid to 0 ... root compromise).
> It looks like the upload that reverted these changes was a botched attempt at
> orphaning the package.  Bug #303198, however, is currently titled "RFA", not
> "O".  Joerg, was your intention here to continue maintaining pam-pgsql until
> someone else comes along to do so, or were you trying to orphan the package
> immediately so that you're no longer responsible for it?

It looks like you are right. I indeed wanted to orphan the package and
made a stupid mistake during the upload of the orphaned package.

> If it is indeed the maintainer's intention to orphan this package, I
> would recommend removing it from sarge on account of the progressive
> security issues.

That'd be alright, since nobody (including me) seems to be interested in
this package, anyway.


Joerg "joergland" Wendland  |  http://www.wendlandnet.de/joerg/
GPG: 51CF8417 FP: 79C0 7671 AFC7 315E 657A  F318 57A3 7FBD 51CF 8417

Attachment: signature.asc
Description: Digital signature

Reply to: