Hi Dan - Thanks so much for attaching the debdiff! I've reviewed the debdiff and have some feedback:
1) Both Ubuntu 16.04 LTS and Ubuntu 16.10 are affected. If possible, a debdiff for each release would be appreciated. 2) The version used in the debdiff is incorrect. It should follow the guidelines described in section #2 here: https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging Ubuntu 16.04 LTS should use 2.0.6-1ubuntu1.16.04.1 and Ubuntu 16.10 should use 2.0.6-1ubuntu1.16.10.1 3) The distribution field in the changelog should be "xenial-security" instead of "xenial". The Ubuntu 16.10 debdiff would use "yakkety-security". This is described in section #3 in the same link as above. 4) The changelog contents should be more descriptive. It should follow the guidelines described in section #3 in the same link as above. Something like this would work: * SECURITY UPDATE: Incorrect permissions on the /etc/ldapscripts/ldapscripts.passwd file allow local attackers to read the contents (LP: #1662164) - debian/rules: Fix typo that prevented dh_fixperms from applying the correct ldapscripts.passwd permissions 5) You didn't mention what level of testing you performed. Were you able to verify that the file permissions were correct after installing the new package? Please attach new debdiffs and mention the testing that you were able to perform. Thanks again and don't hesitate to ask any questions! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662164 Title: ldapscripts.passwd uses insecure permissions by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ldapscripts/+bug/1662164/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
