Luk Claes <l...@debian.org> writes: >> ?? The CVE is already addressed >> <http://packages.debian.org/changelogs/pool/main/g/gridengine/gridengine_6.2u5-1squeeze1/changelog> > > That's for the current stable release, not for the next one...
It's in 6.2u5-6 (the relevant environment-cleaning part). If you think there's something wrong with it, and want to reduce the protection for some reason (why?), you'll need to back it out. As far as I remember, the different patch has a bigger (undocumented) effect on behaviour, but if you check the code, you'll find that it's subsumed at a lower level in the cases that matter. (I have documentation, but that part of the man pages has been considerably reorganized, so it's difficult to apply.) >> and it's ironic to propose an inferior fix that looks as if it came from >> OGS, given their reaction to reporting issues that you find and fix, >> specifically to Debian security. > > As that's the fix that is referenced in the CVE and there is no other > fix referenced there nor in this bug report that's what one gets. ?? Debian assigned the CVE when I sent to the security list (an earlier version of?) the patch which was installed a while ago, after the unfortunate Oracle embargo I reluctantly went along with. Are you suggesting I did something wrong reporting this and chasing it up, or that I don't know what I'm talking about as (joint) discoverer and original fixer of these issues? > Feel free to send the patch to this bug report or prepare an upload > yourself to improve the situation. I don't know what patch you mean, but I'm not a DM, so I can't do anything about it anyway. If you mean a patch for sgepasswd, then it's irrelevant if Debian doesn't ship the program, and complicated because I made changes to pass-and-pray buffers in code it calls. As I said, it seems rather irrelevant if the configuration (that users can't change with what's shipped) allows you a more-or-less trivial root on execution nodes anyhow. I've offered to try to maintain a Debian package from a code base which is proactive about security, but it's beginning to look as if gridengine should be removed from Debian. -- Community Grid Engine: http://arc.liv.ac.uk/SGE/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
