Freek Dijkstra wrote: > The correct action in this case, IMHO, should have been to apply the > patch (of course!), but also add a postinst script, which gives a BIG > warning telling people that they need to change /etc/sudoers > The postinst script by kernel-image-* packages are examples of how it > should have done. I sincerely hope that we will shortly see a > sudo_1.6.8p7-1.4 which has such a warning.
This big warning is the DSA advisory. If you install security updates you have to read it, there's no way around it. > I also recommend to that a look at bug #349129: > "The new behaviour regarding env sanitising is not reflected in the > sudoers or the sudo manpages and there is no news.debian file in the > sarge package; one must read the security announcement very precisely > to find out how to deal with the change." If someone wants to prepare a more elaborate explanation of what needs to be done to white list env vars and the possible caveats, please send it to [EMAIL PROTECTED] and we could send it out as 946-2, that would be better than people reverting their installations to the vulnerable 1.2 version. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]