On Sun, Mar 04, 2007 at 08:55:21AM +0000, Gerrit Pape wrote: > On Sat, Mar 03, 2007 at 08:46:28PM -0800, Steve Langasek wrote: > > The description of this bug in the upstream changelog is:
> > - Security: dbclient previously would prompt to confirm a > > mismatching hostkey but wouldn't warn loudly. It will now > > exit upon a mismatch. > > > > Why should "it didn't warn loudly" be a grave security bug? Isn't any sort > > of prompt already a pretty loud warning in terms of user experience? Did > > the prompt fail to mention that there was a key mismatch somehow? > It doesn't report the key mismatch, the prompt is the same for an > unknown host and a mismatched host. Ok, gotcha. > I would like to see this fixed in etch (and sarge), and now realize that > uploading the new upstream version wasn't the right thing. Do you agree > with an upload of 0.48.1-2 with a fix to this bug only to t-p-u? Yes, please. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]