On Mon, Feb 27, 2006 at 01:55:10PM +1100, Julien Goodwin wrote: > On 27/02/2006 9:28 AM, Steve Langasek wrote: > > On Mon, Feb 27, 2006 at 12:23:35AM +1100, Julien Goodwin wrote: > >> This bug should be able to be closed as fixed in version 0.79.
> > No, it shouldn't. This bug is known to be present in the Debian pam 0.79 > > package, which includes a patch from the Debian selinux maintainers which > > does indeed open this (relatively minor) security hole. > Hmm, ok then, but why is it still open several months after being > discovered if we know exactly what the problem is? Because it's a low-risk vulnerability (no direct privilege escalation, just a brute-force vector) that only affects users running SELinux-enabled kernels in non-enforcing mode, and I disagree with upstream about the appropriate fix for the bug. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
