On Tue, Aug 04, 2009 at 01:45:31AM +0200, Simon Paillard wrote: > > This bug does not affect stable, so I don't believe that a DSA is likely to > > be issued for it. And given that this has already been posted to > > debian-www, there's no reason to hide it now; re-adding the Cc:.
> > > Here is a skeleton and its HTML output: > > > http://europe.ebzao.info/~spaillar/debian/webwml/english/security/pam.wml > > > http://europe.ebzao.info/~spaillar/debian/webwml/english/security/pam.en.html > > The latter link doesn't appear to work? > A clean was perfomered in the mean time, the html output is back now. Thanks, that makes it easier to read. :) Filling in the blanks: XXX -> 1.0.1-6 $date_X.X.X -> 28 Feb 2009 YYY -> 1.0.1-9 ZZZ -> 1.0.1-10 Now, as for the overall content, the first paragraph is very misleading, as it implies that all users would have unsecured systems. Only a very small minority of users (mainly, those with pathological debconf setups) will be affected by the bug. So perhaps this is better?: From versions 1.0.1-6 to 1.0.1-9, the pam-auth-update utility included in the libpam-runtime package in Debian testing and unstable suffered from a bug whereby systems could be inadvertently configured to allow access with or without a correct password (<a href="http://bugs.debian.org/519927";>519927</a>). Although the majority of users will not have been affected by this bug, those that are affected should consider their machines to be compromised, particularly if those machines are configured to allow access from the Internet. We do *not* want to link to <doc/manuals/securing-debian-howto/ch4#s4.10>; the advice there is expressly obsoleted by pam-auth-update, and some of the recommendations there are obsolete long before. For the next two paragraphs, perhaps this: Beginning with version 1.0.1-10, libpam-runtime no longer permits this incorrect configuration, and on upgrade will detect if your system was affected by this bug. If you were shown a message on upgrade directing you to this webpage, you should assume that your system has been compromised. Unless you are familiar with recovering from security failures, viruses, and malicious software <strong>you should re-install this system from scratch</strong> or obtain the services of a skilled system administrator. The <a href="$(HOME)/doc/manuals/securing-debian-howto/">securing-debian-howto</a> includes <a href="$(HOME)/doc/manuals/securing-debian-howto/ch-after-compromise">information on recovering from a system compromise</a>. The Debian project apologizes that previous versions of libpam-runtime did not detect and prevent this situation. Thoughts? Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slanga...@ubuntu.com vor...@debian.org -- To UNSUBSCRIBE, email to debian-www-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
