On 08/06/2015 01:38, Jonathan de Boyne Pollard wrote:
And I am regretful and slightly hesitant to report a security bug in s6-networking, where it fails (unless I have missed something) to wipe any existing UCSPI-TCP environment variables that it isn't setting, per the spec, but merely _merges_ environment changes.
It's not a bug, and I did not concern myself with it, because it is easy enough to clear the environment of UCSPI-related variables before calling a UCSPI tool. However, I agree that it may not be as intuitive as it could be, and clearing the variables that tools do not set is probably the better behaviour. I'll change that in a future release. -- Laurent