Re: [SECURITY] [DSA 3823-1] eject security update

To: Hideki Yamane <henrich@debian.or.jp>
Cc: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3823-1] eject security update
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 19 Apr 2017 15:33:00 +0200
Message-id: <[🔎] 20170419133300.GA29254@lorien.valinor.li>
Mail-followup-to: Hideki Yamane <henrich@debian.or.jp>, debian-security@lists.debian.org
In-reply-to: <[🔎] CAPpVEmXHCHAMfr6pomOQtvFxJU8BpwmLpK-qB1fcepG07JCxHg@mail.gmail.com>
References: <[🔎] CAPpVEmXHCHAMfr6pomOQtvFxJU8BpwmLpK-qB1fcepG07JCxHg@mail.gmail.com>

Hi

On Tue, Apr 18, 2017 at 10:50:19AM +0900, Hideki Yamane wrote:
> I'm just curious, Ubuntu developer said that there was no embargo for
> eject package vulnerability with Debian, is it true and if so, why?
> 
> https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627/comments/3

Yes this is true. All that is happening after dropping the privileges
should be from trusted source (kernel). The fixes were simple enough
and eject package builds fast enough that there was no need to have an
exact timeframe when Ubuntu and Debian needed to push an update in
sync.

To be on the safe side rather than sorry afterwards, Debian has
released updates as well relatively quickly after the issue went
public via Ubuntu, though.

Hope this helps,

Regards,
Salvatore

Reply to:

References:
- Re: [SECURITY] [DSA 3823-1] eject security update
  - From: Hideki Yamane <henrich@debian.or.jp>

Prev by Date: Re: [SECURITY] [DSA 3823-1] eject security update
Next by Date: Bug#857068: Bump libgit2 version to upstream release 0.25.1
Previous by thread: Re: [SECURITY] [DSA 3823-1] eject security update
Next by thread: Bug#857068: Bump libgit2 version to upstream release 0.25.1
Index(es):
- Date
- Thread