© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Apologies for my long delay in dealing with these bugs, both reported by halfdog. Fixes turned out to be quite complicated, since in part they involved unwinding incorrect logic from nearly 20 years ago and ensuring that everything else built on that was appropriately adjusted.
Here are the relevant sections from my release announcement, which should appear at https:/
* SECURITY: Eliminate dangerous setgid-root directories. In the default
configuration, cache files and directories are now owned by man:man
rather than man:root; man and mandb are now setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem that caused my
predecessor to make directories setgid root, and doesn't introduce any
interesting new privilege since the man group's only real purpose is
to be the man user's primary group and nothing in cache directories is
group-
Maintainers of distribution packagers should take care to review their
installation rules in light of this change.
As far as I know this has no CVE ID, but it is described here:
http://
[...]
Notes for distributors
=====
The security fix above was quite involved. If you're trying to backport
it to a stable release, then you should probably consider at least these
commits:
e62b9edafe0
9ab9f3dd9b0
0f8b5518949
94b9d1e2a14
c7f7daa9b2f
31552334cec
755a9551c45
75701f7fd9a
Feel free to contact me if you have difficulty. You should also
consider
http://
which could not be fixed without fixing the above bug first; while this
bug was in Debian-specific cron jobs, others may have copied them.
I've uploaded 2.7.6-1 to unstable with fixes for these vulnerabilities. I'd be happy to help out the Debian and Ubuntu security teams with backports if they need it, although hopefully the above list of git commits is enough to get started.