Christian Perrier wrote: > OK, let's get advice from the security and release teams. Looks like > the advice from both th shadow and cron package maintainers is not enough. > > In short, #300720 complains that login does not activate by default > the pam_limits module, in the provided /etc/pam.d/login file > > This bug report came very late and did not show high security > implications at that moment. Nor was the bug RC. Given the policy we > had at that moment for base system packages, I reported the fix to > post-sarge. > > The cron package maintainer, Steve Greenland, made the same choice. > > Now, at least Olivier mentions this to be a potential fork-bomb issue. > > As there is likely a kind of dispute raising with the arguments > developed below by Olivier, I'd rather get the input from both teams > whether 300720 deserved being fixed in sarge.
just for the record: the SecurityFocus article mentioning many Linux distro's being affected by an ancient fork-bomb by any user can be found here: http://www.securityfocus.com/columnists/308?ref=rssdebia The Slashdot discussion, mentioning Woody not being affected, but Sarge being affected can be found here: http://linux.slashdot.org/article.pl?sid=05/03/18/1421255&tid=172&tid=106 regards, Olivier Sessink -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
