Package: bash Version: 4.2+dfsg-1 Severity: important Tags: security While reading http://blog.cmpxchg8b.com/2013/08/security-debianisms.html I discovered that Debian patches bash to not drop its privileges when it is invoked as /bin/sh (cf privmode.diff).
As shown in the above page, it looks like this change dates back to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586. bsmtpd has been dropped from Debian in 2005 and I believe that there's no reason for Debian to continue to diverge on that specific behaviour. So please drop that change, in particular now that /bin/sh is not even provided by bash. Cheers, -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages bash depends on: ii base-files 7.2 ii dash 0.5.7-3+nmu1 ii debianutils 4.4 ii libc6 2.17-97 ii libtinfo5 5.9+20130608-1 Versions of packages bash recommends: ii bash-completion 1:2.1-2 Versions of packages bash suggests: pn bash-doc <none> -- no debconf information _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
