Re: [debian-pam] Web Page for PAM security compromise
- To: Sam Hartman <hartmans@debian.org>, don@debian.org, weasel@debian.org, pkg-pam-devel@lists.alioth.debian.org, joeyh@debian.org, debian-www@lists.debian.org
- Subject: Re: [debian-pam] Web Page for PAM security compromise
- From: Steve Langasek <vorlon@debian.org>
- Date: Tue, 4 Aug 2009 17:39:34 +0100
- Message-id: <[🔎] 20090804163934.GB18313@dario.dodds.net>
- Mail-followup-to: Steve Langasek <vorlon@debian.org>, Sam Hartman <hartmans@debian.org>, don@debian.org, weasel@debian.org, pkg-pam-devel@lists.alioth.debian.org, joeyh@debian.org, debian-www@lists.debian.org
- In-reply-to: <[🔎] 20090803234531.GL25482@dedibox.ebzao.info>
- References: <tslws5sna8y.fsf@mit.edu> <20090728152540.GB5377@dedibox.ebzao.info> <tslws5s7mce.fsf@mit.edu> <20090729234606.GA28512@dedibox.ebzao.info> <[🔎] 20090802205917.GB23509@dario.dodds.net> <[🔎] 20090803234531.GL25482@dedibox.ebzao.info>
On Tue, Aug 04, 2009 at 01:45:31AM +0200, Simon Paillard wrote:
> > This bug does not affect stable, so I don't believe that a DSA is likely to
> > be issued for it. And given that this has already been posted to
> > debian-www, there's no reason to hide it now; re-adding the Cc:.
> > > Here is a skeleton and its HTML output:
> > > http://europe.ebzao.info/~spaillar/debian/webwml/english/security/pam.wml
> > > http://europe.ebzao.info/~spaillar/debian/webwml/english/security/pam.en.html
> > The latter link doesn't appear to work?
> A clean was perfomered in the mean time, the html output is back now.
Thanks, that makes it easier to read. :) Filling in the blanks:
XXX -> 1.0.1-6
$date_X.X.X -> 28 Feb 2009
YYY -> 1.0.1-9
ZZZ -> 1.0.1-10
Now, as for the overall content, the first paragraph is very misleading, as
it implies that all users would have unsecured systems. Only a very small
minority of users (mainly, those with pathological debconf setups) will be
affected by the bug. So perhaps this is better?:
From versions 1.0.1-6 to 1.0.1-9, the pam-auth-update utility included in
the libpam-runtime package in Debian testing and unstable suffered from a
bug whereby systems could be inadvertently configured to allow access with
or without a correct password (<a
href="http://bugs.debian.org/519927";>519927</a>). Although the majority
of users will not have been affected by this bug, those that are affected
should consider their machines to be compromised, particularly if those
machines are configured to allow access from the Internet.
We do *not* want to link to <doc/manuals/securing-debian-howto/ch4#s4.10>;
the advice there is expressly obsoleted by pam-auth-update, and some of the
recommendations there are obsolete long before.
For the next two paragraphs, perhaps this:
Beginning with version 1.0.1-10, libpam-runtime no longer permits this
incorrect configuration, and on upgrade will detect if your system was
affected by this bug. If you were shown a message on upgrade directing
you to this webpage, you should assume that your system has been
compromised. Unless you are familiar with recovering from
security failures, viruses, and malicious software <strong>you should
re-install this system from scratch</strong> or obtain the services of
a skilled system administrator. The <a
href="$(HOME)/doc/manuals/securing-debian-howto/">securing-debian-howto</a>
includes <a
href="$(HOME)/doc/manuals/securing-debian-howto/ch-after-compromise">information
on recovering from a system compromise</a>.
The Debian project apologizes that previous versions of libpam-runtime did
not detect and prevent this situation.
Thoughts?
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
Reply to: