[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of icu?

On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> > 
> > So, you've identified the upstream fix for CVE-2016-6293 and why does
> > that not get commited to the security tracker?
> > 
> > That really sucks. LTS development almost fully relies on the
> > security tracker, so why don't you submit generic vulnerability information
> > you come across?
> > 
> I was not aware that I needed to do that.  It is not documented anywhere
> in the LTS workflow [0] or in the security tracker itself [1].
> Please let me know how I go about adding this to the security tracker
> and I will.

If you find useful information on e.g. howto reproduce the bug or about
the proper upstream fix use


See e.g. this entry from the top of the current data/CVE/list:

CVE-2016-7155 [scsi: pvscsi: OOB read and infinite loop while setting descriptor rings]
        - qemu <unfixed>
        - qemu-kvm <removed>
        NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373462
        NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2

 -- Guido

Reply to: