[Pkg-shadow-devel] Bug#379174: Shadow security update for
CVE-2006-3378
Christian Perrier
bubulle at debian.org
Sun Jul 23 16:16:00 UTC 2006
Hello dear Security team (and ftpmasters, and shadow package maintainers),
Being back from 2 days holiday I discover CVE-2006-3378 which has just
been revealed to our attention (#359174 in the BTS).
As far as I can tell, this is is locally exploitable root
vulnerability. Passwd is vulnerable in sarge.
At this very moment, I haven't seen a fix. Nicolas François is working
on one.
Our main problem is that we have another update (namely
4.0.3-31sarge7) which is pending for passwd, related to #356939. That
update is *not* handled throught the security updates queue but rather
through the proposed-updates queue as I explained you a few days ago.
It goes this way because it has to be synced with a base-config update
that Joey Hess uploaded in proposed-updates.
The update is named 4.0.3-31sarge7 because a 4.0.3-31sarge6 was not
accepted by the SRM team....and we (SRM and I) didn't want to wait for
ftpmasters action....
CVE-2006-3378 complicates the whole thing a little bit....:-(
What I propose to you, as soon as we have a fix for CVE-2006-3378:
-urgently destroy 4.0.3-31sarge6 and 31sarge7 from the
proposed-updates queue. Need ftpmasters collaboration with high urgency
-the security team, or the shadow package team, prepares
4.0.3-31sarge6 with the fix for CVE-2006-3378 *ALONE*
-the shadow package team prepares 4.0.3-31sarge7 with BOTH updates and
sends it to the proposed-updates queue so that it can be picked by the
SRM team when they're ready to update sarge
PS: neither testing nor unstable are affected by this bug as the
culprit options of passwd have been removed in shadow 4.0.14
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20060723/07f518d5/attachment-0001.pgp
More information about the Pkg-shadow-devel
mailing list