Hi Yaroslav, On Saturday 29 December 2007 21:23, Thijs Kinkhorst wrote: > I'm sorry for the delay in taking this issue on. Here's my response to your > patch. In short, I think most issues are more relevant to a stable update > than to a security update.
As you've seen Moritz has commented aswell. I've shortly talked with him and he has a good point: some issues may not be worthwhile of a DSA in itself but could be included if we are sending a DSA anyway. Still we need to strike a balance between the security-relatedness and the "chance of breakage" that every change introduces. > + * NOT RELEASED YET > + * Propagated fix for asctime pattern from 0.7.8 release (closes: > #421848) > > As you say yourself in that bugreport - it's not really a security issue > and only for a specific filter of Apache. This may be a candidate for a > stable update (check with SRM) but please leave it out of the security > update. Ok, let's include this one. > + * Propagated fix for not closed log files from 0.7.8-1 > + (closes: #439962,434368) > + * Propagated fix for "reload" bug which is as sever as #439962 and just > + never was hit by any Debian user yet > > As you said in your other mail, these issues are related to fail2ban > stalling upon reload. That is a serious bug but not a security issue. Of > course fail2ban not functioning in itself can be considered as a security > issue because it's specifically designed to prevent other attacks. However, > there's no concrete attack possible because of fail2ban failing to ban. How long have these changes been in unstable/testing? Were there any problems with it? I'm willing to include them if they are reasonably well tested. > + * Added patch 00_numeric_iptables-L to avoid possible DoS attacks > + (introduced upstream in 0.7.6) > > If I understand this correctly, this makes iptables not do DNS lookups. > While that's obviously a useful fix, I think it's not a serious security > issue. There's lots of services doing one or more DNS lookup when something > external connects to them, and skipping that where possible is good, but > not something I would add to a security update, I'm sorry. Again, maybe the > SRM's are willing to include this. Ok, this fix is as I said not very security-related but on the other hand trivial. So let's include it. > + * Propagated "Fixed removal of host in hosts.deny" from 0.7.6, to > prevent + possible DoS > > This fix seems appropriate to a security update. > > + * Rigid call to python2.4 instead of via /usr/bin/env to prevent > + in-the-middle attack via environment poisoning > > I think this is out of scope for a security update, or even a stable update > if you ask me. Please do not include it in the security update at least, > and discuss with the stable release team if you want it included in etch > still. I still think this is not appropriate, sorry. > Concluding: please prepare a package for stable with the two mentioned > issues fixed (please include relevant CVE id and bug numbers in the > changelog) and send us the debdiff for a last review. Please do so with this revised information :-) Thijs
pgpiqNU6QeDkq.pgp
Description: PGP signature
