Version 1.7.10 of Mandos is released

[Teddy Hogeborn]

Mandos 1.7.10 is released.  It is both a minor bug fix release (thanks
to the long-suffering Valerio Bellizzomi <valerio at selnet.org> who helped
find another bug in the --interface option for the server), and a minor
security bug fix release for the client.

How can a security bug fix be minor?  This bug only affects you if:

* You have written your own plugin helper (note: not plugin, plugin
  *helper*) and put it into the /etc/mandos/plugin-helpers directory,
* AND if this plugin helper of yours is set-uid, set-gid or otherwise
  contains secrets which should not be accessible by unprivileged users
  on the same system,
* AND if you did a completely *new* install of 1.7.8 or 1.7.9 (both of
  which have only been available during the last couple of days),
* AND if you have untrusted unprivileged local users on your system,

THEN, the /etc/mandos/plugin-helper directory, which is normally empty,
will have too insecure permissions set on it, and your private plugin
helper executable would have been accessible by unprivileged local
users.  We are sorry if this happened.  This release fixes this bug.

Version 1.7.10 (2016-06-23)
* Client
** Security fix: restrict permissions of /etc/mandos/plugin-helpers
* Server
** Bug fix: Make the --interface flag work with Python 2.7 when "cc"
   is not installed

Debian package changes:

* debian/rules (override_dh_fixperms-arch): Also exclude
  "etc/mandos/plugin-helpers" from changes by dh_fixperms.
* debian/mandos-client.postinst: Fix the permissions of
  "/etc/mandos/plugin-helpers" for those systems which had a fresh
  install of an older version.

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
https://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20160623/449ab427/attachment.sig>