On Thu, Jan 20, 2011 at 12:03:31PM +0100, Thijs Kinkhorst wrote: > On Thu, January 20, 2011 09:28, Dominic Hargreaves wrote:
> > This issue has now been released: > > <http://lists.bestpractical.com/pipermail/rt-announce/2011-January/000185.html> > > > > An proposed update for lenny is now sitting at > > svn+ssh://svn.debian.org/svn/pkg-request-tracker/packages/request-tracker3.6/branches/lenny-security > > and I'd like to get this fixed in lenny. The security team isn't sure > > whether they can fix this in a DSA or not at this stage, and suggested > > a stable update as a possibility. > > > > Please can either DSA or SRM let me know of their preferred option? > > The fix is ready to upload either way. > > Thanks for your work on this. The issue boils down to the fact that > passwords are now hashed in md5 and they switched to sha256 with salt. > This is of course a good development but I don't think it's a security > issue directly, since you need to have some way obtain those hashes in the > first place. > > I would say that we update this through stable update, as it's a useful > hardening but current installations aren't in immediate danger. Okay, this is different to Raphael's earlier assessment. I suspect different people will have different opinions on this. It is being treated as a security issue upstream. SRM, could you advise on whether this can be included in Saturday's point release? Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
