Re: klibc 1.5.20 stable/oldstable update
On Wed, May 18, 2011 at 09:25:27PM +0100, Adam D. Barratt wrote:
> On Wed, 2011-05-18 at 15:41 +0000, maximilian attems wrote:
> > 2 commits of klibc 1.5.22 are candidates for stable fixes:
> > * [klibc] ipconfig: comment new escape function
> > security fix for CVE-2011-0997 type vulnerability
> > corresponding cve requested but not yet given out.
> > http://git.kernel.org/?p=libs/klibc/klibc.git;a=commit;h=46a0f831582629612f0ff9707ad1292887f26bff
> Thanks for working on fixing this in stable. Have you confirmed with
> the security team that they don't wish to handle this via a DSA as for
> CVE-2011-0997 itself?
I had only shortly spoken with dannf when fix was not yet at the hand.
he had pointed out that maintainer could upload for "minor" security.
ipconfig in contrare to dhclient is mostly used for netbooting so
rogue dhcpd is only more likely if you mix a live boot system in the equation.
thank you for reviewing the proposed fixes.
ps adding security team on recipient list.