Bug#926043: CVE-2019-0816
Hi Thomas,
On Tue, Apr 02, 2019 at 10:29:33PM +0200, Moritz Mühlenhoff wrote:
> severity 926043 important
> thanks
>
> On Tue, Apr 02, 2019 at 01:56:35PM +0200, Thomas Goirand wrote:
> > On 4/2/19 12:46 PM, Moritz Muehlenhoff wrote:
> > > On Tue, Apr 02, 2019 at 12:33:10PM +0200, Thomas Goirand wrote:
> > >> On 4/1/19 11:44 PM, Moritz Mühlenhoff wrote:
> > >>> Instead of arguing over bug severities, can't we rather fix the bug?
> > >>
> > >> Sure.
> > >>
> > >>> Ubuntu fixed this already and their versions seems fairly close.
> > >>
> > >> That's the thing. I went into the launchpad bug report, and it's full of
> > >> small, incremental commits, from which it is very hard to figure out
> > >> which one is really fixing the issue. Also, the Ubuntu package is just
> > >> getting a snapshot from upstream, it's not integrating any patch. If
> > >> someone can point at the correct patch, I'll do the update work.
> > >
> > > Actually, given Bastian's reply, we can just close the bug, or am I missing
> > > something?
> > >
> > > Cheers,
> > > Moritz
> >
> > Well, not 100%. "we" don't support cloud-init provisioning yet. Though
> > someone running Debian, building their own image, cloud be affected by
> > the bug. Which is why I'd suggest downgrading the bug to important, as
> > it would only affect, only potentially, a very small subset of users.
>
> OK, I see! Downgrading makes total sense, then. Doing that now.
>
> > I still believe we should try to get this fixed in time for Buster, and
> > backport it to Stretch.
>
> Ack.
Did you had a chance to look into this specifically for unstable and
possibly buster (still agreeing on the reasoning, but was looking
trough some pending mails and spotted the intend above).
Regards,
Salvatore
Reply to: