>>>>> "Javier" == Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> writes:
Javier> On Thu, Mar 24, 2005 at 08:49:01PM -0500, Sam Hartman Javier> wrote: >> severity 300775 wishlist tags 300775 -security Javier> ^^^^^^^^^^^^^^^^^^^^^ Why this? PAM 0.76 is indeed Javier> vulnerable to the issues fixed in 0.78 Someone pointed out in mail to this bug that Debian is not vulnerable to these issues because of local patches. >> Hi. I've explicitly decided not to upgrade PAM for sarge. I >> had also decided when 0.77 came out that I didn't see a good >> reason to take it. Taking a new pam release is a painful >> process. Javier> Yes, it might be painful, but fixing bugs is also Javier> important and these releases are primarily bug-fix Javier> releases. >> That said, I'm looking for people to help with PAM. Would you >> be interested? Are you familiar with pam enough to help try >> and merge in a new release? Javier> I can help out, I am not extremely familiar with PAM but Javier> wouldn't mind jumping in and helping you with this Javier> release. Since sarge's base is frozen maybe an upload to Javier> experimental with 0.78 plus patches would be best right Javier> now and have it move into sid as soon as sarge is PAM is maintained in a subversion repository on alioth. I can give you write access to that repository if you're sufficiently familiar with subversion etc. I'd recommend importing PAM 0.78's upstream and then looking at each of the debian local patches and seeing whether they should be maintained, dropped or modified.