On 02.06.2014 11:29, Steve Kemp wrote:
>> [ Hoping this whole file isn't needed, and can simply go away :) ]
Actually, it is. The shadow part is most likely a left-over from dead
code before ATS was open-sourced. Either way, the entire command line
utility (traffic-shell) is being dropped upstrea
On Mon Jun 02, 2014 at 10:23:23 +0100, Steven Chamberlain wrote:
> http://sources.debian.net/src/trafficserver/3.0.5-1/mgmt/tools/SysAPI.cc
> > NOWARN_UNUSED_RETURN(system("/bin/mv -f /tmp/shadow /etc/shadow"));
>
> Won't that reset the shadow file's ownership to root:root? If default
> umas
Hi,
http://sources.debian.net/src/trafficserver/3.0.5-1/mgmt/tools/SysAPI.cc
> NOWARN_UNUSED_RETURN(system("/bin/mv -f /tmp/shadow /etc/shadow"));
Won't that reset the shadow file's ownership to root:root? If default
umask is 027, the file won't be readable any more by the shadow group;
won'
Hi Steve,
On 30.05.2014 09:59, Steve Kemp wrote:
> Please do request/assign CVE identifiers.
Thanks for your report, I will coordinate this with Apache folks to get
a CVE upstream as this is not Debian specific.
--
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID:
Package: trafficserver
Version: 3.0.5-1
Severity: important
Tags: security
Dear Maintainer,
The binary `/usr/bin/traffic_shell` contains the following strings, which
should be sufficient to explain the issue:
/bin/mv -f /tmp/shadow /etc/shadow
/bin/sort /tmp/zonetab.tmp > /tmp/zonetab
5 matches
Mail list logo
