> On Thu, May 05, 2005 at 03:41:13PM +0200, Primoz Bratanic wrote: > > Package: pam-pgsql > > Severity: critical > > Tags: security > > Justification: root security hole > > > The problem reported in BUG#230875 and marked as fixed (NMU upload) was open > > again. The changes have disappeared. Please see the patch attached to > > Bug#230875 regarding sql injection problem with changing password (easy > > impact would be changing uid to 0 ... root compromise). > > It looks like the upload that reverted these changes was a botched attempt at > orphaning the package. Bug #303198, however, is currently titled "RFA", not > "O". Joerg, was your intention here to continue maintaining pam-pgsql until > someone else comes along to do so, or were you trying to orphan the package > immediately so that you're no longer responsible for it? > > If it is indeed the maintainer's intention to orphan this package, I > would recommend removing it from sarge on account of the progressive > security issues. I would be willing to fix and maintain the package if there is someone who would be willing to sponsor the upload. Primoz Bratanic
Attachment:
signature.asc
Description: This is a digitally signed message part