CCed the security team. Security-team: Do you think this is a security issue?
I can't remember the point of encrypting the database with the key in the same directory right now. Maybe it protects against certain types of mistakes, not sure. Regards. Ryan Tandy <[email protected]> writes: > On Tue, Jul 18, 2017 at 05:35:07PM +1000, Brian May wrote: >>Does the attached patch look good to you? > > Yes, that's exactly what I had in mind. Tested here and looks fine. > > Changelog typo: "explicity". Guessing you already spotted it. > > The path would also need updating in the heimdal-kdc/password debconf > template. > >>Do you consider this a security issue? Do we need to investigate fixes >>for Wheezy, Jessie, and Stretch (depending on when this bug was first >>introduced)? > > I would guess it's worth getting the security team's opinion on. > > Problem is, fixing the postinst doesn't help existing installs. A NEWS > entry explaining the impact and how to introduce an mkey to an existing > install might be more valuable than the actual postinst fix. > > (I've been through a similar exercise with openldap in #761406.) -- Brian May <[email protected]>
