Re: Bug#851612: CVE-2017-0381
On Mon, Feb 06, 2017 at 08:45:01PM +0100, Julien Cristau wrote:
> On Tue, Jan 31, 2017 at 15:32:13 +1030, Ron wrote:
>
> > I've CC'd -release, to see what they'd prefer we do for Jessie.
> > It might be that the best option here is to just put something later
> > in -bpo, and if people are paranoid, they can choose to use that?
> >
> I'd prefer to review patches rather than walls of text that refer to
> changes in the abstract, since that makes it easier to know what you're
> talking about. But based on what I've read it doesn't sound like jessie
> needs an update?
Unless there's a surprise reveal about the real severity, I think it
would be theatre to push just this patch and not the similar things
fixed without fanfare in 1.1.4 as an SPU - and I don't think 1.1.4 is
in the usual comfort zone for an SPU, or that any of these are known
to be serious enough to warrant making an uncomfortable exception.
Salvatore asked me to look at our options, so I gave enough context
for people to do their own detailed assessment if they feel they want
to disagree. If someone is really worried about being exposed by 1.1
in Jessie, they'd be much better off with a -bpo of what's in Stretch,
or a -sloppy backport of 1.1.4, than with just this one issue patched.
If we later find any of them are more seriously exploitable, we can
put a targetted fix through -security or -p-u for just that, but we'd
have already done that if the upstream analysis thought they were.
It looks like the language and severity of the original CVE has been
toned down now based on the analysis given here anyway - so even the
"it would be good PR to show this as fixed in Jessie" argument isn't
as strong as it was a week ago when I originally replied.
Thanks!
Ron
Reply to: