Hi Christoph, hi Uwe,

On Mon, Jun 02, 2025 at 04:25:49PM +0200, Christoph Berg wrote:
> Control: tag -1 security
>
> Security team, I'm unsure if that warrants a security update?
>
> I could instead do a stable update, but then there's the extra
> question if that's in time before the trixie release to avoid the
> functional problem.

For reference documenting the outcome of a IRC conversation in this
buglog: An update via the point release for bookworm (with maybe the
option to release an update earlier via a SUA and -updates seems fine,
can you ask this as well to the SRM?).

While there is an issue as found by Uwe, in context of the systemd
units the current working directory would be /, and

[12:24] < Myon> ukleinek: most of the pg_*cluster programs chdir / before 
calling it, and chuid to the target user,
                so it's likely hard to exploit. pg_{backup,restore}cluster 
being the ones with more potential I think

(Note worstcase if the SUA option is not accepted and no point release
happens before the trixie release we can then still ask release team
to reject the upload and have it go through bookworm-security for
addressing it's . in PATH security aspect).

Regards,
Salvatore

Reply via email to