Hi everyone, we have performed additional tests that led to the conclusion that this bug did already exist in 3.16.0-5-amd64, but not in 3.16.0-4-amd64. Given that, it must have been some change in 3.16.51-3+deb8u1 which luckily are only few. I hope its not fallout from the KPTI patch, so the only other thing that seems relevant (since we're using Kerberos) would be: > * KEYS: add missing permission check for request_key() destination > (CVE-2017-17807) Does that seem valid? Regards, -- Moritz Schlarb Unix-Gruppe | Systembetreuung Zentrum für Datenverarbeitung Johannes Gutenberg-Universität Mainz Raum 01-331 - Tel. +49 6131 39-29441 OpenPGP Fingerprint: DF01 2247 BFC6 5501 AFF2 8445 0C24 B841 C7DD BAAF
begin:vcard fn:Moritz Schlarb n:Schlarb;Moritz org;quoted-printable;quoted-printable:Johannes Gutenberg-Universit=C3=A4t Mainz;Zentrum f=C3=BCr Datenverarbeitung adr;dom:;;;Mainz email;internet:schlarbm@uni-mainz.de tel;work:+49 6131 39 29441 note;quoted-printable:OpenPGP Fingerprint: DF01 2247 BFC6=0D=0A= 5501 AFF2 8445 0C24 B841 C7DD BAAF version:2.1 end:vcard
Attachment:
signature.asc
Description: OpenPGP digital signature