Hi, Chris Hofstaedtler <zeha@debian.org> (2021-07-28): > Please unblock package util-linux > > [ Reason ] > Fix for security bug CVE-2021-37600, reported as Debian bug #991619 > > [ Impact ] > Security issue remains open. From an util-linux perspective, I think > this is a local (=non-remote) issue. > > [ Tests ] > util-linux build-time tests cover ipcs and lsipc, which are the two > affected commands. > > [ Risks ] > The security bug is in a shared static .c file, used by the ipcs and > lsipc commands. I hope that ipc shmem/queue/semaphore users do not shell > out to ipcs/lsipc, and instead use some library. If this is true, only > "inspection" use cases of local admins would possibly break. > > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > util-linux builds udebs. debian-boot@ is x-cc'ed. Thanks, Chris. No objections in theory; I'd be happy to have it in testing before Jul 31 (which is the tentative date for the next D-I Bullseye RC), if that's reasonable from a maintainer/release team point of view. But I suspect there shouldn't be a huge deal to build debian-installer with the affected version, so maybe letting the fix mature a little in unstable is fine too. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
signature.asc
Description: PGP signature