Hi fellow Debian LTS and Debian Security memebers When triaging the packages for LTS I looked into the package pcs. I saw that it was already added to DSA needed so I have added it to DLA needed as well. However when reading the correction for it I started to think that the vulnerability may not be in PCS itself, but rather in Thin::Backends::UnixServer::connect because the correction is to override that function with a more secure umask.
I agree that it is good to fix the pcs package, but shouldn't we fix the default umask in general? I would argue that the default umask is insecure. What do you think? Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
