On Sun, Oct 22, 2006 at 12:15:42PM +0200, Moritz Muehlenhoff wrote: > Steve Langasek wrote: > > > >> This bug should be able to be closed as fixed in version 0.79.
> > > > No, it shouldn't. This bug is known to be present in the Debian pam > > > > 0.79 > > > > package, which includes a patch from the Debian selinux maintainers > > > > which > > > > does indeed open this (relatively minor) security hole. > > > Hmm, ok then, but why is it still open several months after being > > > discovered if we know exactly what the problem is? > > Because it's a low-risk vulnerability (no direct privilege escalation, just > > a brute-force vector) that only affects users running SELinux-enabled > > kernels in non-enforcing mode, and I disagree with upstream about the > > appropriate fix for the bug. > Since Etch will have solid selinux support out of the box it would be nice > to have it fixed. Has an agreement over the appropriate fix been found in > the mean time? No, I still disagree with the upstream fix, but resolving this bug is now one of my last blockers for pam in etch whether or not I end up having to diverge from upstream. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
