Bdale Garbee wrote:
> On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
> 
> > It's a box of pandora.  You can hardly hit all variables.
> > 
> > Bdale, what's your opinion?
> 
> One of the workarounds suggested by upstream in the p12 release
> announcement is:
> 
>     Alternately, the administrator can add a line to the top of
>     sudoers file:
> 
>     Defaults        env_reset
> 
>     which will reset the environment to only contain the variables
>     HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
>     this attack.
> 
> My inclination for unstable is to just package p12 and upload it as-is.

Ack.  Sounds reasonable.

> It might also be reasonable to add the env_reset entry to the suders
> file we create if none already exists?  I think I'll do that.  But

Yes.

> forcing a change on already-installed systems of that kind certainly
> doesn't make sense.

I'm not quite sure.  That would leave existing systems in a vulnerable
state, even though we have corrected this in woody + sarge (by another
means, though).

A note to NEWS.Debian should be read at  least.

When you've uploaded the sid package, please drop me a line.
I assume that 

Regards,

        Joey

-- 
All language designers are arrogant.  Goes with the territory...
        -- Larry Wall

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to