Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6169
| From | Ola Lundqvist <ola@inguza.com> |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Vulnerability in pcs or is it in more generic code? |
| Date | 2022-09-05 22:00 +0200 |
| Message-ID | <F2qqd-5x85-5@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
Hi fellow Debian LTS and Debian Security memebers When triaging the packages for LTS I looked into the package pcs. I saw that it was already added to DSA needed so I have added it to DLA needed as well. However when reading the correction for it I started to think that the vulnerability may not be in PCS itself, but rather in Thin::Backends::UnixServer::connect because the correction is to override that function with a more secure umask. I agree that it is good to fix the pcs package, but shouldn't we fix the default umask in general? I would argue that the default umask is insecure. What do you think? Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | ola@inguza.com opal@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
Back to linux.debian.security | Previous | Next — Next in thread | Find similar | Unroll thread
Vulnerability in pcs or is it in more generic code? Ola Lundqvist <ola@inguza.com> - 2022-09-05 22:00 +0200
Re: Vulnerability in pcs or is it in more generic code? Paul Wise <pabs@debian.org> - 2022-09-06 03:10 +0200
Re: Vulnerability in pcs or is it in more generic code? Ola Lundqvist <ola@inguza.com> - 2022-09-09 23:10 +0200
Re: Vulnerability in pcs or is it in more generic code? Paul Wise <pabs@debian.org> - 2022-09-10 03:40 +0200
Re: Vulnerability in pcs or is it in more generic code? Ola Lundqvist <ola@inguza.com> - 2022-09-10 23:50 +0200
csiph-web