Re: Any idea when CVE-2016-5696 is going to get fixed?
On Mon, 29 Aug 2016 19:30:11 +0200 "Thomas Schmitt"
<scdbackup@gmx.net> wrote:
> Hi,
>
> Gene Heskett wrote:
> > Normally security things are pushed right on thru particularly
> > when they are a one file changed in the whole kernel source
> > tree. Why not this time?
>
> I guess because it is easy to work around
>
> https://access.redhat.com/security/vulnerabilities/challengeack
>
> and the maintainers don't want to shoot their foot immediately again
> by a hasty bugfix release.
The official bug fix is already done in the 4.7 kernel and has been
back ported to all the kernels of interest. Apparently it is in the
works for the Debian tree already, though no one has said when the
patches will be released.
As for workarounds, they do no good for the overwhelming majority of
users since they are unaware that they need to push out workarounds.
Users rely on the security update mechanism to get their security
updates. Most organizations aren't even equipped to follow the
torrent of security alerts happening at any given time on an
independent basis.
Perry
--
Perry E. Metzger perry@piermont.com
Reply to: