On Fri, Apr 07, 2006 at 11:41:27AM +0100, Stephen Gran wrote: > This one time, at band camp, Steve Langasek said: > > On Fri, Apr 07, 2006 at 10:47:44AM +0100, Stephen Gran wrote:
> > > I generally don't like to NMU new upstream versions, but I see no > > > activity on a security bug in a couple of weeks, so I thought I > > > would ask. > > Please don't upload until the current version has reached testing. > > freeradius is among the many packages currently tied into the > > libmysqlclient ABI transition, which is a monster to manage -- getting > > 200 packages unblocked and into etch needs to take precedence over one > > RC bug, security or otherwise. > No problem - quite understood. I guess I added this one to your plate > in the first place with my last NMU - sorry about that. The impact of the last NMU is minimal, there are still some straggler packages that need to be addressed before the transition finishes. I just wanted to head off any further uploads that might set us back. :) > > FWIW, I'm not convinced this bug warrants grave severity anyway; > > unless the crasher bug allows arbitrary code execution as well, it > > doesn't seem like this is really a big issue given that the radius > > clients shouldn't normally be under the control of an attacker? > Hmm. I read it to mean that clients could force auth bypass and > potentially crash the server, as in any client, not just another radius > client. If you are correct, then it is not that big a deal. I'm not certain that my interpretation is correct, so it should definitely be treated as more severe unless someone shows otherwise. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
