Florian Weimer <f...@deneb.enyo.de> writes: > * Arto Jantunen: > >>> In Debian (and all other distros I know of) the bcfg2 server runs as >>> root, so in practice this is a remote root hole (limited to attackers >>> who can connect to the bcfg2 server (protected by a password and/or an >>> ssl key)). >> >> .dsc and .debian.tar.gz for a fixed package are attached. I'll upload >> the fix to unstable next. > > There's a spurious diff in the changelog: > > bcfg2 (1.0.1-3+squeeze1) stable-security; urgency=high > > * Apply patch from Chris St. Pierre to fix several problems with > - unescaped shell commands (Closes: #640028). > + unescaped shell commands > > But the actual patch seems fine. Please build without -sa and upload > to security-master. Thanks!
I have fixed the mistake in the changelog, built the package and uploaded the result. -- Arto Jantunen -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
