Re: [Nano-devel] New prerelease for security tweaks

nano-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nano-devel] New prerelease for security tweaks

From:	Chris Allegretta
Subject:	Re: [Nano-devel] New prerelease for security tweaks
Date:	Wed, 7 Apr 2010 11:25:43 -0400

Hey Jordi,

Ok, there are two commits, r4491 and 4492 which change actual
functionality.  In r4493 I just added a note about the risks of using
-B as root in the man pages.

I'm not aware of any CVEs for the issue since as the researcher states
"The issues presented here have been reported responsibly to both
downstream distribution security teams and the developers of nano, and
have not been prioritized as issues requiring a security update. They
may or may not be addressed in subsequent releases of nano, but I
agree with the assessment of the security teams I have spoken with:
these issues do not constitute a significant risk to users in most
cases"

I don't mind requesting a CVE once we're ready for the release but it
seems like we would want to have an official release ready beforehand,
rather than face some ill-informed uproar about how the fix is not
available yet and nano must be removed from their distro until one is
available.

As you're a downstream maintainer, if you or Mike or another
maintainer are stongly in favor of an official release sooner rather
than later, with the caveat that we'll be missing one translated
string fromt the release, I'm fine with it.  This isn't the type of
string that anyone is going to see normally anyway.

On Wed, Apr 7, 2010 at 6:11 AM, Jordi Mallach <address@hidden> wrote:
> Hi Chris!
>
> On Wed, Apr 07, 2010 at 02:41:19AM -0400, Chris Allegretta wrote:
>> Now that the AFJ fun is hopefully behind us,  we recently received
>> some new attention from a security perspective, and an article was
>> published on symlink attacks when running nano as root.  The article
>> is at http://drosenbe.blogspot.com/2010/03/nano-as-root.html if you're
>> interested.
>
> Interesting! Do you know if there are CVE numbers assigned for these?
>
> I'm going to include the patch currently in SVN for an immediate Debian
> upload.
>
> Jordi
> --
> Jordi Mallach Pérez  --  Debian developer     http://www.debian.org/
> address@hidden     address@hidden     http://www.sindominio.net/
> GnuPG public key information available at http://oskuro.net/
>
>
> _______________________________________________
> Nano-devel mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/nano-devel
>

[Prev in Thread]

Current Thread

[Next in Thread]

[Nano-devel] New prerelease for security tweaks, Chris Allegretta, 2010/04/07
- Re: [Nano-devel] New prerelease for security tweaks, Jordi Mallach, 2010/04/07
  - Re: [Nano-devel] New prerelease for security tweaks, Chris Allegretta <=
    - Re: [Nano-devel] New prerelease for security tweaks, Eitan Adler, 2010/04/07
    - Re: [Nano-devel] New prerelease for security tweaks, Jean-Philippe Guérard, 2010/04/07
    - Re: [Nano-devel] New prerelease for security tweaks, Jean-Philippe Guérard, 2010/04/14
    - Re: [Nano-devel] New prerelease for security tweaks, Jordi Mallach, 2010/04/08
    - Re: [Nano-devel] New prerelease for security tweaks, Chris Allegretta, 2010/04/09
    - Re: [Nano-devel] New prerelease for security tweaks, Eitan Adler, 2010/04/10
    - Re: [Nano-devel] New prerelease for security tweaks, Chris Allegretta, 2010/04/14
- Re: [Nano-devel] New prerelease for security tweaks, Mike Frysinger, 2010/04/07
  - Re: [Nano-devel] New prerelease for security tweaks, Chris Allegretta, 2010/04/07
    - Re: [Nano-devel] New prerelease for security tweaks, Mike Frysinger, 2010/04/07

Prev by Date: Re: [Nano-devel] New prerelease for security tweaks
Next by Date: Re: [Nano-devel] New prerelease for security tweaks
Previous by thread: Re: [Nano-devel] New prerelease for security tweaks
Next by thread: Re: [Nano-devel] New prerelease for security tweaks
Index(es):
- Date
- Thread