Hello all, Your feedback on the condor update situation (described below) would be appreciated.
Several weeks ago I prepared updates for condor for jessie (then-LTS), stretch, and buster (the latter two still under the security team ubmrella) to address CVE-2019-18823. The description of the fix is "an information disclosure of authentication credentials could allow an attacker to impersonate an authenticated user and perform actions as that user." I messaged the security team to seek counsel regarding the best way to proceed with the update in stretch and buster with the intent of resolving that question before proceeding with the jessie update. The security team asked about what sort of testing had been performed. Not being a user of condor my ability test the changes is limited, and since the changes involve the authentication mechanisms, it would perhaps be unwise to publish the update without some form of testing. Thus far I have not taken further action. One the one hand it seems a shame to discard the prepared update, but on the other hand the security team's concern regarding potential regressions is quite correct. Does anyone have any specific suggestions? That is, is anyone able to offer to test these packages or know someone who might be able to? Apart from that, might there be an approach to minimize the possibility of a regression? Regards, -Roberto -- Roberto C. Sánchez
