[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2016-6131 binutils, gdb, valgrind etc.

El 06/07/16 a las 18:43, Bálint Réczey escribió:
> Hi,
> 2016-07-06 18:22 GMT+02:00 Holger Levsen <holger@layer-acht.org>:
> > On Wed, Jul 06, 2016 at 05:57:43PM +0200, Markus Koschany wrote:
> >> In this specific case I wouldn't do it because of the reasons I have
> >> mentioned before but more input from others is welcome. If we decide to
> >> fix these issues we also need to take care of valgrind, nescc,
> >> libiberty, ht, gdb, gcc-h8300-hms and binutils-h8300-hms. Otherwise it
> >> would be rather inconsistent.
> >
> > I disagree. Perfect is the enemy of good. We have inconsistances in many
> > places too.
> >
> > Brians work was useful and should not be lost. It's good to close
> > "minor" security holes.
> I agree. Sometimes exploiting a combination of "minor" issues can be
> combined  to allow more severe attacks. If the fixes are safe, I think they
> should be released.


After talking with Salvatore and Guido, we plan to discuss about the
no-dsa meaning for oldstable during BoF tomorrow. One of the reasons
for tagging no-dsa minor issues is to handle them via point-releases.
Since we don't have this in LTS, "minor" issues like those in binutils
and co, should be handled/fixed earlier in oldstable.

So, if we have safe fixes, there is no reason to don't release them.
Of course, everything is issue-specific.



Attachment: signature.asc
Description: PGP signature

Reply to: