Bdale Garbee wrote:
> On Thu, 2005-12-22 at 09:15 +0100, Martin Schulze wrote:
>
> > It's a box of pandora. You can hardly hit all variables.
> >
> > Bdale, what's your opinion?
>
> One of the workarounds suggested by upstream in the p12 release
> announcement is:
>
> Alternately, the administrator can add a line to the top of
> sudoers file:
>
> Defaults env_reset
>
> which will reset the environment to only contain the variables
> HOME, LOGNAME, PATH, SHELL, TERM, and USER, also preventing
> this attack.
>
> My inclination for unstable is to just package p12 and upload it as-is.
Ack. Sounds reasonable.
> It might also be reasonable to add the env_reset entry to the suders
> file we create if none already exists? I think I'll do that. But
Yes.
> forcing a change on already-installed systems of that kind certainly
> doesn't make sense.
I'm not quite sure. That would leave existing systems in a vulnerable
state, even though we have corrected this in woody + sarge (by another
means, though).
A note to NEWS.Debian should be read at least.
When you've uploaded the sid package, please drop me a line.
I assume that
Regards,
Joey
--
All language designers are arrogant. Goes with the territory...
-- Larry Wall
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]