Bug#359042: How do you feel about an NMU?
On Wed, Apr 12, 2006 at 07:52:34PM +0200, Florian Weimer wrote: > * Steve Langasek: > > FWIW, I'm not convinced this bug warrants grave severity anyway; unless the > > crasher bug allows arbitrary code execution as well, it doesn't seem like > > this is really a big issue given that the radius clients shouldn't normally > > be under the control of an attacker? > Nowadays, RADIUS is performed across administrative boundaries. 8-/ > (And in a service provider environment, attacks on availability are > often as significant as attacks on integrity or confidentiality.) Ok. In any case, the current freeradius package has reached testing now, so the mysql transition no longer blocks this fix. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#359042: How do you feel about an NMU?
* Steve Langasek: > FWIW, I'm not convinced this bug warrants grave severity anyway; unless the > crasher bug allows arbitrary code execution as well, it doesn't seem like > this is really a big issue given that the radius clients shouldn't normally > be under the control of an attacker? Nowadays, RADIUS is performed across administrative boundaries. 8-/ (And in a service provider environment, attacks on availability are often as significant as attacks on integrity or confidentiality.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#359042: How do you feel about an NMU?
On Fri, Apr 07, 2006 at 11:41:27AM +0100, Stephen Gran wrote: > This one time, at band camp, Steve Langasek said: > > On Fri, Apr 07, 2006 at 10:47:44AM +0100, Stephen Gran wrote: > > > I generally don't like to NMU new upstream versions, but I see no > > > activity on a security bug in a couple of weeks, so I thought I > > > would ask. > > Please don't upload until the current version has reached testing. > > freeradius is among the many packages currently tied into the > > libmysqlclient ABI transition, which is a monster to manage -- getting > > 200 packages unblocked and into etch needs to take precedence over one > > RC bug, security or otherwise. > No problem - quite understood. I guess I added this one to your plate > in the first place with my last NMU - sorry about that. The impact of the last NMU is minimal, there are still some straggler packages that need to be addressed before the transition finishes. I just wanted to head off any further uploads that might set us back. :) > > FWIW, I'm not convinced this bug warrants grave severity anyway; > > unless the crasher bug allows arbitrary code execution as well, it > > doesn't seem like this is really a big issue given that the radius > > clients shouldn't normally be under the control of an attacker? > Hmm. I read it to mean that clients could force auth bypass and > potentially crash the server, as in any client, not just another radius > client. If you are correct, then it is not that big a deal. I'm not certain that my interpretation is correct, so it should definitely be treated as more severe unless someone shows otherwise. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#359042: How do you feel about an NMU?
This one time, at band camp, Steve Langasek said: > On Fri, Apr 07, 2006 at 10:47:44AM +0100, Stephen Gran wrote: > > > I generally don't like to NMU new upstream versions, but I see no > > activity on a security bug in a couple of weeks, so I thought I > > would ask. > > Please don't upload until the current version has reached testing. > freeradius is among the many packages currently tied into the > libmysqlclient ABI transition, which is a monster to manage -- getting > 200 packages unblocked and into etch needs to take precedence over one > RC bug, security or otherwise. No problem - quite understood. I guess I added this one to your plate in the first place with my last NMU - sorry about that. > FWIW, I'm not convinced this bug warrants grave severity anyway; > unless the crasher bug allows arbitrary code execution as well, it > doesn't seem like this is really a big issue given that the radius > clients shouldn't normally be under the control of an attacker? Hmm. I read it to mean that clients could force auth bypass and potentially crash the server, as in any client, not just another radius client. If you are correct, then it is not that big a deal. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature
Bug#359042: How do you feel about an NMU?
On Fri, Apr 07, 2006 at 10:47:44AM +0100, Stephen Gran wrote: > I generally don't like to NMU new upstream versions, but I see no > activity on a security bug in a couple of weeks, so I thought I would > ask. Please don't upload until the current version has reached testing. freeradius is among the many packages currently tied into the libmysqlclient ABI transition, which is a monster to manage -- getting 200 packages unblocked and into etch needs to take precedence over one RC bug, security or otherwise. FWIW, I'm not convinced this bug warrants grave severity anyway; unless the crasher bug allows arbitrary code execution as well, it doesn't seem like this is really a big issue given that the radius clients shouldn't normally be under the control of an attacker? -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#359042: How do you feel about an NMU?
Hello, I generally don't like to NMU new upstream versions, but I see no activity on a security bug in a couple of weeks, so I thought I would ask. Thanks, -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - signature.asc Description: Digital signature