On Tue, Dec 15, 2009 at 02:56:19PM -0600, Raphael Geissert wrote: > Reconsidering, both are going through the security repository.
I already uploaded the Lenny version to proposed-updates. Should I re-up? > Could you please prepare the packages and send the debdiff to t...@? The Lenny debdiff is attached. Michael -- Michael Meskes Michael at Fam-Meskes dot De, Michael at Meskes dot (De|Com|Net|Org) Michael at BorussiaFan dot De, Meskes at (Debian|Postgresql) dot Org ICQ: 179140304, AIM/Yahoo/Skype: michaelmeskes, Jabber: mes...@jabber.org VfL Borussia! Forca Barca! Go SF 49ers! Use: Debian GNU/Linux, PostgreSQL
diff -u acpid-1.0.8/debian/acpid.postinst acpid-1.0.8/debian/acpid.postinst --- acpid-1.0.8/debian/acpid.postinst +++ acpid-1.0.8/debian/acpid.postinst @@ -11,6 +11,11 @@ rm -f /etc/rc1.d/K20acpid /etc/rc[2-5].d/S20acpid fi +# Fix very old permission problem +if dpkg --compare-versions "$2" lt-nl "1.0.8-1lenny2"; then + [ -f /var/log/acpid ] && chmod 640 /var/log/acpid* +fi + HAL_NEEDS_RESTARTING=no case "$1" in configure|reconfigure) diff -u acpid-1.0.8/debian/changelog acpid-1.0.8/debian/changelog --- acpid-1.0.8/debian/changelog +++ acpid-1.0.8/debian/changelog @@ -1,3 +1,10 @@ +acpid (1.0.8-1lenny2) stable-proposed-updates; urgency=high + + * Correct permissions that were incorrectly set by very old acpid versions. + This fixes CVE-2009-4235. + + -- Michael Meskes <mes...@debian.org> Tue, 15 Dec 2009 13:17:54 +0100 + acpid (1.0.8-1lenny1) stable-security; urgency=high * Added upstream's patch to fix CVE-2009-0798
