Hi... I had been talking to Guy on irc a coupla times, and he let me know he'd work on the bug. It's been a few days, and today I tried to check the current status but it seems www.debian.org is down. Checking another mirror revealed a bug archive that was aproximately 60-70 days old, so couldn't check to see if Guy closed this bug on that archive. Could someone check on the latest known archive? The last thing that I knew of, was bcwhite changed the status of the bug from "critical" to "normal" without making changes to the package itself to affect a corresponding change in functionality or notifying me, even automatically (I added a polite request to be so notified in the bug report; judging by the lack of any response, I'm not sure the report was even read or checked to determine if, in fact, the bug does exist before making this change.)
If the critical-to-normal change is the last thing to have happened, I am asking permission to upgrade the severity to grave; I am asking also that the bug be listed as a security bug for some of the following reasons: Let me make sure I understand the situation: If this bug can prevent all logins and is caused by a buffer overrun situation in login which causes same to segfault, this is a security bug. True? If there are more buffer overrun potentialities in the shadow password suite, presently used by debian to authenticate users, then these too are security bugs waiting to be located. True? Our particular situation: As it happens, the group file is used to place students in groups named by classes. If it doesn't work, this particular bug will wholly corrupt the group database at or near the point when the group line length reaches the critical-mass point of 1024 chars; this can affect a student's grade. Admittedly, there is nothing I saw in policy to cover such a situation, however I see nothing at all wrong with saying that this adds support to the claim that this is a bug involving security issues, and whether as such or not, is a situation which can at best be described as grave. To Guy Maor: Please let me know if I can help by testing new patches. We now have a machine which is being used to experiment with the unstable side of debian. At the moment, it is also a local mirror for frozen, and as such is tracking it. I'd be quite happy to test what you have or even to do some coding as time permits. I am well aware that you inherited some of the 1024-byte situation; parts of it have existed since well before 0.93, and maybe even before debian existed at all. -Jim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
