Re: Wheezy update of icu?
On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> > So, you've identified the upstream fix for CVE-2016-6293 and why does
> > that not get commited to the security tracker?
> > That really sucks. LTS development almost fully relies on the
> > security tracker, so why don't you submit generic vulnerability information
> > you come across?
> I was not aware that I needed to do that. It is not documented anywhere
> in the LTS workflow  or in the security tracker itself .
> Please let me know how I go about adding this to the security tracker
> and I will.
If you find useful information on e.g. howto reproduce the bug or about
the proper upstream fix use
See e.g. this entry from the top of the current data/CVE/list:
CVE-2016-7155 [scsi: pvscsi: OOB read and infinite loop while setting descriptor rings]
- qemu <unfixed>
- qemu-kvm <removed>
NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html