Ubuntu 16.04 LTS should use 2.0.6-1ubuntu1.16.04.1 and Ubuntu 16.10 should
use 2.0.6-1ubuntu1.16.10.1
3) The distribution field in the changelog should be "xenial-security" instead
of "xenial". The Ubuntu 16.10 debdiff would use "yakkety-security". This is
described in section #3 in the same link as above.
4) The changelog contents should be more descriptive. It should follow the
guidelines described in section #3 in the same link as above. Something like
this would work:
* SECURITY UPDATE: Incorrect permissions on the
/etc/ldapscripts/ldapscripts.passwd file allow local attackers to read the
contents (LP: #1662164)
- debian/rules: Fix typo that prevented dh_fixperms from applying the
correct ldapscripts.passwd permissions
5) You didn't mention what level of testing you performed. Were you able to
verify that the file permissions were correct after installing the new
package?
Please attach new debdiffs and mention the testing that you were able to
perform. Thanks again and don't hesitate to ask any questions!
Hi Dan - Thanks so much for attaching the debdiff!
I've reviewed the debdiff and have some feedback:
1) Both Ubuntu 16.04 LTS and Ubuntu 16.10 are affected. If possible, a debdiff
for each release would be appreciated.
2) The version used in the debdiff is incorrect. It should follow the
guidelines described in section #2 here:
https:/ /wiki.ubuntu. com/SecurityTea m/UpdatePrepara tion#Packaging
Ubuntu 16.04 LTS should use 2.0.6-1ubuntu1. 16.04.1 and Ubuntu 16.10 should 16.10.1
use 2.0.6-1ubuntu1.
3) The distribution field in the changelog should be "xenial-security" instead
of "xenial". The Ubuntu 16.10 debdiff would use "yakkety-security". This is
described in section #3 in the same link as above.
4) The changelog contents should be more descriptive. It should follow the
guidelines described in section #3 in the same link as above. Something like
this would work:
* SECURITY UPDATE: Incorrect permissions on the ldapscripts/ ldapscripts. passwd file allow local attackers to read the
/etc/
contents (LP: #1662164)
- debian/rules: Fix typo that prevented dh_fixperms from applying the
correct ldapscripts.passwd permissions
5) You didn't mention what level of testing you performed. Were you able to
verify that the file permissions were correct after installing the new
package?
Please attach new debdiffs and mention the testing that you were able to
perform. Thanks again and don't hesitate to ask any questions!