Re: ksh / CVE-2019-14868

To: debian-lts@lists.debian.org
Subject: Re: ksh / CVE-2019-14868
From: Sylvain Beucler <beuc@beuc.net>
Date: Mon, 13 Jul 2020 09:55:08 +0200
Message-id: <[🔎] 37aa9ce4-2264-71a2-6e81-72b168094c3d@beuc.net>
In-reply-to: <[🔎] 87r1tgz943.fsf@silverfish.pri>
References: <[🔎] 87r1tgz943.fsf@silverfish.pri>

Hi,

On 13/07/2020 00:01, Brian May wrote:
> Is dla-needed.txt for Jessie or Stretch now?

Stretch.

> ksh was removed from dla-needed.txt for Stretch and classified "minor":
> 
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/87322fcf
> 
> Then it was added again:
> 
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a9cd9dca3afc830fea869d12baf2f3d7c21126
> 
> Should we mark it as ignored in Stretch also? Or maybe the reason (as
> given in the commit message when ksh was first removed) was wrong?
> 
> https://salsa.debian.org/security-tracker-team/security-tracker/commit/b72cc677e719d37f5f3378d616d9cb53315db927

github is currently down, so I can't review the patch, but it sounds
like we don't know for sure the full impact of the vulnerability and
would be better off fixing it.

Cheers!
Sylvain

Reply to:

Follow-Ups:
- Re: ksh / CVE-2019-14868
  - From: Ola Lundqvist <ola@inguza.com>

References:
- ksh / CVE-2019-14868
  - From: Brian May <bam@debian.org>

Prev by Date: ksh / CVE-2019-14868
Next by Date: Re: Suggestions for handling of condor update
Previous by thread: ksh / CVE-2019-14868
Next by thread: Re: ksh / CVE-2019-14868
Index(es):
- Date
- Thread