Re: Call for testing: glibc update for buster
On 17/10/2022 10:00, Helmut Grohne wrote:
On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote:
I'll give it some testing on my buster system.
Thank you. I take the absense of a further reponse as "nothing broke".
Right, although I was kinda waiting for your input on other points
rather than answer to myself on this one :)
- a methodology point: if there's some uncertainty on CVE-2016-10228 (note:
which is a 2020 fix really), that neither secteam nor the maintainers
decided to fix in other Debian dists, maybe it's not worth the risk to fix
it in LTS.
I read your note that other distros (ubuntu, redhat) did so though,
contacting the maintainers could help evaluate the risk better.
Yeah. I'm fixing quite a number of issues that were not previously
considered. Even though these were non-trivial to fix, I believe that we
should fix them. Leaving them as is would mean that character conversion
involving untrusted inputs is not supported at all. Seems like a hard
Depends on the levels of risks involved (local CPU DoS vs. possible
regression), but again the maintainers would better know what to answer.
Debian LTS Team