Re: 02/02: gnu: linux-pam: Add cracklib to inputs.

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* Re: 02/02: gnu: linux-pam: Add cracklib to inputs.
       [not found] ` <20160828130241.9381A220144@vcs.savannah.gnu.org>
@ 2016-08-28 14:46   ` Leo Famulari
  2016-08-28 15:26     ` David Craven
  0 siblings, 1 reply; 2+ messages in thread
From: Leo Famulari @ 2016-08-28 14:46 UTC (permalink / raw)
  To: guix-devel

On Sun, Aug 28, 2016 at 01:02:41PM +0000, David Craven wrote:
> dvc pushed a commit to branch core-updates
> in repository guix.
> 
> commit 25d1b3107fc7ebdc155649722fc257f4dbc4b04a
> Author: David Craven <david@craven.ch>
> Date:   Sun Aug 28 15:00:49 2016 +0200
> 
>     gnu: linux-pam: Add cracklib to inputs.
>     
>     * gnu/packages/linux.scm (linux-pam)[inputs]: Add cracklib.

Recently, some security vulnerabilities in cracklib have been disclosed
[0].

For CVE-2016-6318, the disclosure message pointed out that if
cracklib is compiled without the FORTIFY_SOURCE compiler flag, the bug
can result in code execution and privilege escalation.

Unfortunately, that applies to us. Our exposure to the bug was mitigated
by the fact that cracklib is not used by our base system (it is used in
our GNOME system, however).

For this reason, I want to revert this commit until we have begun
"hardening" our packages [1].

Any objections?

[0]
http://seclists.org/oss-sec/2016/q3/290
http://seclists.org/oss-sec/2016/q3/370

[1]
http://lists.gnu.org/archive/html/guix-devel/2016-08/msg01157.html

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: 02/02: gnu: linux-pam: Add cracklib to inputs.
  2016-08-28 14:46   ` 02/02: gnu: linux-pam: Add cracklib to inputs Leo Famulari
@ 2016-08-28 15:26     ` David Craven
  0 siblings, 0 replies; 2+ messages in thread
From: David Craven @ 2016-08-28 15:26 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Nope, thanks for keeping such a tight eye on security! =) I just
checked the arch linux package and saw that they are using it so I
thought it would probably be a good idea to add...

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-08-28 15:26 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20160828130241.21430.58427@vcs.savannah.gnu.org>
     [not found] ` <20160828130241.9381A220144@vcs.savannah.gnu.org>
2016-08-28 14:46   ` 02/02: gnu: linux-pam: Add cracklib to inputs Leo Famulari
2016-08-28 15:26     ` David Craven

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).