[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#912401: stretch-pu: package network-manager/1.6.2-3+deb9u2



Control: tags -1 + moreinfo

On Wed, 2018-10-31 at 08:08 +0100, Michael Biebl wrote:
> I'd like to make a stable upload for network-manager, addressing
> CVE-2018-15688 [1].
> NetworkManager ships an internal copy of sd-network, which is used by
> the dhcp=internal plugin. This plugin is used as fallback if
> isc-dhcp-client is not installed or configured explicitly.
> Both cases are rather uncommon which is why the security team agreed
> that this is sufficient to be fixed via a regular stable upload and
> doesn't require a stable-security upload.
> 
> Upstream has committed the fix to the nm-1-6 branch and included
> various smaller fixes while at it [2].
> 
> Strictly speaking, only [3] should be necessary to address the CVE,
> but upstream recommends to pull the whole branch, which is what I
> did.

>From a quick look I'd be OK with that, but it seems like the additional
changes should be mentioned somehow in the changelog.

Regards,

Adam


Reply to: