Re: Wheezy update of icu?

To: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Wheezy update of icu?
From: Guido Günther <agx@sigxcpu.org>
Date: Thu, 8 Sep 2016 07:29:55 +0200
Message-id: <[🔎] 20160908052955.wyza4mxmy3bvwlif@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] 20160907231556.GA12551@connexer.com>
References: <1469390323.3619334.675373689.4833195A@webmail.messagingengine.com> <20160724202620.GG17851@connexer.com> <20160817132900.GC23741@connexer.com> <[🔎] CAK0OdpybMxHVpJfhDxwE65EC5dHgxzBp6f=aCCThbPcYaMQ+mQ@mail.gmail.com> <[🔎] 20160907020619.GA14152@connexer.com> <[🔎] CAK0Odpw6r=V-XJ3Jv43Xz4NeAD9Zn8Ewbqyjgz91Vdj0pbZsaw@mail.gmail.com> <[🔎] 20160907122535.GB29230@connexer.com> <[🔎] 20160907191016.GA32455@pisco.westfalen.local> <[🔎] 20160907231556.GA12551@connexer.com>

On Wed, Sep 07, 2016 at 07:15:56PM -0400, Roberto C. Sánchez wrote:
> On Wed, Sep 07, 2016 at 09:10:16PM +0200, Moritz Muehlenhoff wrote:
> > 
> > So, you've identified the upstream fix for CVE-2016-6293 and why does
> > that not get commited to the security tracker?
> > 
> > That really sucks. LTS development almost fully relies on the
> > security tracker, so why don't you submit generic vulnerability information
> > you come across?
> > 
> I was not aware that I needed to do that.  It is not documented anywhere
> in the LTS workflow [0] or in the security tracker itself [1].
> 
> Please let me know how I go about adding this to the security tracker
> and I will.

If you find useful information on e.g. howto reproduce the bug or about
the proper upstream fix use

   NOTE:

See e.g. this entry from the top of the current data/CVE/list:


CVE-2016-7155 [scsi: pvscsi: OOB read and infinite loop while setting descriptor rings]
        - qemu <unfixed>
        - qemu-kvm <removed>
        NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00050.html
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1373462
        NOTE: http://www.openwall.com/lists/oss-security/2016/09/06/2

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- Re: Wheezy update of icu?
  - From: Roberto C. Sánchez <roberto@connexer.com>

References:
- Re: Wheezy update of icu?
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: Wheezy update of icu?
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: Wheezy update of icu?
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: Wheezy update of icu?
  - From: Roberto C. Sánchez <roberto@connexer.com>
- Re: Wheezy update of icu?
  - From: Moritz Muehlenhoff <jmm@debian.org>
- Re: Wheezy update of icu?
  - From: Roberto C. Sánchez <roberto@connexer.com>

Prev by Date: Re: Wheezy update of icu?
Next by Date: Re: matrixssl
Previous by thread: Re: Wheezy update of icu?
Next by thread: Re: Wheezy update of icu?
Index(es):
- Date
- Thread