On Sun, Feb 18, 2007 at 07:24:16AM +1100, Paul Szabo wrote: > Dear Maintainer, > > Yes, the bug in the patch was mine: meant to check the return status of > setgid(getegid()) but somehow managed to mis-type that into > setgid(geteuid()). Stupid mistake. Shame on me. > > Now, linux-ftpd_0.17-20sarge2.diff.gz was dated September 2006 as per > your latest "closure" message > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454;msg=44 > (or maybe 20 Nov 2006 as per > http://www.debian.org/security/2006/dsa-1217 > or 13 Nov 2006 as the date on current > http://security.debian.org/pool/updates/main/l/linux-ftpd/linux-ftpd_0.17-20sarge2.diff.gz > ) and contains the "wrong" patch. > > So this seems fixed in etch 0.17-23 since 25 Nov 2006, but not yet in > sarge (==stable) 0.17-20sarge2. Please fix for sarge also.
I sent the fix to the security team, but they decided to ignore it. I wasn't in the mood to fight with them... Feel free to contact them at [EMAIL PROTECTED] You can Cc me if you want. Regards, Alberto -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico agi@(inittab.org|debian.org)| en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 9782 04E7 2B75 405C F5E9 0C81 C514 AF8E 4BA4 01C3
