> On 2016/05/04 17:48, Ted Unangst wrote: > > i think it's time. otherwise we'll never find the bugs. > > I don't think it's time since afaicr nobody other than me has fixed > anything for this in ports yet. They're not hard to find, try screen > lockers for starters. Because this is using a different API than > everyone else with shadow passwords we don't get fixes for free - > anything using pw_passwd from getpw{nam,uid}() needs modifying. > > If you'd sent this 10 days ago we could have had enough of them > fixed at p2k16. As I won't have time to do that now, here are > unfiltered search results from ports source (unpacked Aug 2015 > so there may be some more by now). I'll have a look and see if > I've got any notes on which ones I already looked at.
Bummer, bad timing. Anyways, it would be really nice if we can get the issues resolved before end of June, because 6.0 should have this. It is a valuable security improvement.