Luk Claes <l...@debian.org> writes: > Package: gridengine > Version: 6.2u5-7 > Severity: normal > Tags: patch pending > > Dear maintainer, > > I've prepared an NMU for gridengine (versioned as 6.2u5-7.1) and > uploaded it to DELAYED/02. Please feel free to tell me if I > should delay it longer.
?? The CVE is already addressed <http://packages.debian.org/changelogs/pool/main/g/gridengine/gridengine_6.2u5-1squeeze1/changelog> and it's ironic to propose an inferior fix that looks as if it came from OGS, given their reaction to reporting issues that you find and fix, specifically to Debian security. The patch I supplied took sensitive environment variables from Debian's libc and sudo, which I take to be canonical though I'd value comments from security people. (Things like PYTHONPATH are irrelevant because you can/should use "python -E" in methods, and then where do you stop -- why not Ruby? Also, it's now clear that the issue of the user environment needs addressing more fundamentally.) Debian doesn't distribute sgepasswd, so I ignored it, but there are more issues with it <https://arc.liv.ac.uk/trac/SGE/log/sge/source/utilbin/sge_passwd.c>. However, this is probably irrelevant with the current packaging, which I didn't realize initially. The Debian-supplied configuration allows equivalent privilege elevation anyway, and the package doesn't have the script to change it (#598510). -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
