Steve Langasek wrote:
> > >> This bug should be able to be closed as fixed in version 0.79.
>
> > > No, it shouldn't. This bug is known to be present in the Debian pam 0.79
> > > package, which includes a patch from the Debian selinux maintainers which
> > > does indeed open this (relatively minor) security hole.
>
> > Hmm, ok then, but why is it still open several months after being
> > discovered if we know exactly what the problem is?
>
> Because it's a low-risk vulnerability (no direct privilege escalation, just
> a brute-force vector) that only affects users running SELinux-enabled
> kernels in non-enforcing mode, and I disagree with upstream about the
> appropriate fix for the bug.
Since Etch will have solid selinux support out of the box it would be nice
to have it fixed. Has an agreement over the appropriate fix been found in
the mean time?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
