* Arto Jantunen: >> In Debian (and all other distros I know of) the bcfg2 server runs as >> root, so in practice this is a remote root hole (limited to attackers >> who can connect to the bcfg2 server (protected by a password and/or an >> ssl key)). > > .dsc and .debian.tar.gz for a fixed package are attached. I'll upload > the fix to unstable next.
There's a spurious diff in the changelog: bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high * Apply patch from Chris St. Pierre to fix several problems with - unescaped shell commands (Closes: #640028). + unescaped shell commands But the actual patch seems fine. Please build without -sa and upload to security-master. Thanks! -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org