Package: openssh-server
Version: 4.3p2-9etch2
Severity: minor
During connection openssh-server sends its version string to the client.
While that is perfectly ok for the version string itself, the
information added to the version string gives away free additional
information to a potential attacke
Package: libpam-modules
Version: 0.79-4
Severity: grave
adding "session required pam_limits.so" to /etc/pam.d/login results in
limits beeing taken ONLY from /etc/security/limits.conf - all default values
are flushed.
PROBLEMS
1) This is a minor security issue because the default configuratio
>I doubt that this is a serious problem
[...]
>Right, problems should be minimized if possible.
Anyway, I think we can agree it should be fixed (whether it is "serious" or
not).
Just for the sake of argument:
according to debian policy it is "serious", see
1) http://www.debian.org/Bugs/Develope
Package: gnupg
Version: 1.4.6-2
Severity: serious
gnupg binary is setuid root.
"ls -l /usr/bin/gpg
-rwsr-xr-x 1 root root 837304 2007-03-07 23:16 /usr/bin/gpg"
PROBLEMS
1) bugs in gnupg will potentially allow for rights-escalation by restricted
users
2) Setuid flag was necessary for backwards-
On Sunday, 18. November 2007 22:03:43 Eric Cooper wrote:
> On Sun, Nov 18, 2007 at 12:21:21PM +0100, Emjay wrote:
> > SUGGESTION
> >
> > - fixing bug 343105 probably caused this
> > - using
> >
> > su -s /bin/sh approx -c "/usr/sbin/gc_approx --quiet&q
Package: approx
Version: 2.8.0
Severity: normal
/etc/cron.weekly/approx exits prematurely with the following error when
libpam-tmpdir is installed and setup.
"/tmp/user/0/approx982b38: Permission denied"
PROBLEMS
1) gc_approx is initially run as root and does setuid32 to user approx
2) strace
6 matches
Mail list logo
