Re: policykit-1 CVE-2018-19788 in jessie
On Thu, Dec 20, 2018 at 03:11:49PM +0530, Abhijith PA wrote:
> Hi Santiago,
>
> On Thursday 20 December 2018 01:00 AM, Santiago Ruano Rincón wrote:
> > Dear Maintainers,
> >
> > (It seems my first attempt to send this mail failed. Sorry if you
> > received it twice)
> >
> > As opposed to stretch, I have been unable to reproduce CVE-2018-19788 in
> > jessie. i.e. systemctl correctly doesn't allow me to stop services, and
> > pkexec blocks me from executing applications that need privileges.
>
> I couldn't reproduce in my jessie machine either.
>
> > Do you think is it safe to consider jessie as not-affected? Or is it
> > still worth to apply the patch?
>
> I think its okay to mark as not-affected.
Don't mark issues as not-affected just because some specific reproducer
doesn't trigger. This should only be done if source code analysis
has shown it to be not affected.
Cheers,
MOritz
Reply to: