[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: libseccomp2 CVE fixed only for buster-backports?



After all it's said and done, we are talking about this issue:
https://security-tracker.debian.org/tracker/CVE-2019-9893

Reading that page there is a "No security issue by itself" comment, that
can tell you what priority the Debian security team attached to it.

Reading the bug I could see:
> The libseccomp v2.4.0 release fixes this problem, and should be a
> direct drop-in replacement for previous v2.x releases.  Due the
> complexity, and associated risk, of backporting the fix to the v2.3.x
> release stream, I've made the difficult decision not to backport the
> fix.
So, well, just don't expect this to land in buster easily.

If anybody believe this is important, they should take it to #924646 and
probably talk with the Release Team.


I would say a CVE that is decided to not be fixed in the version present
in stable being fixed only in stable-backports where there is a whole
different version is not that surprising.

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
More about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

Attachment: signature.asc
Description: PGP signature


Reply to: