[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: policykit-1 CVE-2018-19788 in jessie



El 20/12/18 a las 12:57, Moritz Muehlenhoff escribió:
> On Thu, Dec 20, 2018 at 03:11:49PM +0530, Abhijith PA wrote:
> > Hi Santiago,
> > 
> > On Thursday 20 December 2018 01:00 AM, Santiago Ruano Rincón wrote:
> > > Dear Maintainers,
> > > 
> > > (It seems my first attempt to send this mail failed. Sorry if you
> > > received it twice)
> > > 
> > > As opposed to stretch, I have been unable to reproduce CVE-2018-19788 in
> > > jessie. i.e. systemctl correctly doesn't allow me to stop services, and
> > > pkexec blocks me from executing applications that need privileges. 
> > 
> > I couldn't reproduce in my jessie machine either.
> > 
> > > Do you think is it safe to consider jessie as not-affected? Or is it
> > > still worth to apply the patch?
> > 
> > I think its okay to mark as not-affected.
> 
> Don't mark issues as not-affected just because some specific reproducer
> doesn't trigger. This should only be done if source code analysis
> has shown it to be not affected.

Thanks Abhijith and Moritz.

For different reasons, and despite the differences with stretch are
minimal, I have been unable to carry out a serious source code analysis.
I won't be able to actually work on this (including following-up if a
reversion/problem arises), so I have unclaimed it.

Sorry if it has taken so long.

Cheers,

S

Attachment: signature.asc
Description: PGP signature


Reply to: