On Mon, Jul 13, 2020 at 10:13:34AM +0200, Sylvain Beucler wrote: > Hi Roberto, > > On 12/07/2020 13:44, Roberto C. Sánchez wrote: > > Your feedback on the condor update situation (described below) would be > > appreciated. > > > > Several weeks ago I prepared updates for condor for jessie (then-LTS), > > stretch, and buster (the latter two still under the security team > > ubmrella) to address CVE-2019-18823. The description of the fix is "an > > information disclosure of authentication credentials could allow an > > attacker to impersonate an authenticated user and perform actions as > > that user." > > > > I messaged the security team to seek counsel regarding the best way to > > proceed with the update in stretch and buster with the intent of > > resolving that question before proceeding with the jessie update. The > > security team asked about what sort of testing had been performed. Not > > being a user of condor my ability test the changes is limited, and since > > the changes involve the authentication mechanisms, it would perhaps be > > unwise to publish the update without some form of testing. Thus far I > > have not taken further action. > > > > One the one hand it seems a shame to discard the prepared update, but on > > the other hand the security team's concern regarding potential > > regressions is quite correct. > > > > Does anyone have any specific suggestions? That is, is anyone able to > > offer to test these packages or know someone who might be able to? > > Apart from that, might there be an approach to minimize the possibility > > of a regression? > > If not already, I would suggest contacting the Debian package > maintainers since this isn't fixed in unstable yet. > They can also give more pointers. > That is an excellent suggestion. It had not even crossed my mind. Thanks.
Regards, -Roberto -- Roberto C. Sánchez
