On Fri, 28 Jun 2019 02:46:57 +0200 Guillem Jover <guil...@debian.org> wrote:
> > it should be more backward-compatible, as it does not require adding > > --user or --exec to fix the init.d scripts, but on the other hand it > > needs to fail if the pidfile is group-writable (hoping it is > > uncommon) > > Right, this last bit is the main reason I didn't do this from the > start, and after some pondering, I decided to skip this patch for > 1.19.7, because it looked like the breakage due to the group-writable > pidfiles is a new unknown, and it might be harder (more involved) to > fix as it might require changes to the daemon code itself, instead of > just few lines in the init script. based on the actual data (bug reports), none of these would be affected by a group-writable pidfile and all are affected by the need to add --user/exec options, but I understand it may be too late in the release cycle for such changes > I guess I might be open to apply them in the future, but it might not > make much of a difference in case most of the reported problems have > been fixed already, or we might trade them for new problems, so there > would need to be a very compelling reason. I think you should consider it for buster+1 at least, as the actual fix for the CVE is incomplete and not all the regressions has been fixed (920466 924311 924640) but at least they all have patches included > Thanks for the patches though! thank you for the review! ciao
