Re: Wheezy update of icu?
On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> >
> > So, you've identified the upstream fix for CVE-2016-6293 and why does
> > that not get commited to the security tracker?
> >
> > That really sucks. LTS development almost fully relies on the
> > security tracker, so why don't you submit generic vulnerability information
> > you come across?
> >
> I was not aware that I needed to do that. It is not documented anywhere
> in the LTS workflow [0] or in the security tracker itself [1].
>
> Please let me know how I go about adding this to the security tracker
> and I will.
If you find useful information on e.g. howto reproduce the bug or about
the proper upstream fix use
NOTE:
See e.g. this entry from the top of the current data/CVE/list:
CVE-2016-7155 [scsi: pvscsi: OOB read and infinite loop while setting descriptor rings]
- qemu <unfixed>
- qemu-kvm <removed>
NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373462
NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2
Cheers,
-- Guido
Reply to: