From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51983) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eWP5n-0007vX-Ps for guix-patches@gnu.org; Tue, 02 Jan 2018 11:07:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eWP5i-0001uP-QJ for guix-patches@gnu.org; Tue, 02 Jan 2018 11:07:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:52863) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eWP5i-0001u1-N9 for guix-patches@gnu.org; Tue, 02 Jan 2018 11:07:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eWP5i-0000mp-Hg for guix-patches@gnu.org; Tue, 02 Jan 2018 11:07:02 -0500 Subject: bug#29490: [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." Resent-To: guix-patches@gnu.org Resent-Message-ID: From: Marius Bakke In-Reply-To: <87zi6wydys.fsf@fastmail.com> References: <20171128170937.31110-1-mbakke@fastmail.com> <87374pe8kk.fsf@gnu.org> <87zi6wydys.fsf@fastmail.com> Date: Tue, 02 Jan 2018 17:06:27 +0100 Message-ID: <87po6s9rek.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 29490-done@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Ludovic Court=C3=A8s writes: > >> Hello, >> >> Marius Bakke skribis: >> >>> These issues has been classified as minor by Debian: >>> >>> https://security-tracker.debian.org/tracker/CVE-2017-15670 >>> https://security-tracker.debian.org/tracker/CVE-2017-15671 >>> >>> ...and is not worth the cost of grafting and maintaining this patch. >> >> I don=E2=80=99t see Debian=E2=80=99s classification as =E2=80=9Cminor=E2= =80=9D, but I see NVD severity >> =E2=80=9Chigh=E2=80=9D and =E2=80=9Cmedium=E2=80=9D (I personally fail t= o imagine concrete remote >> exploitation scenarios, but I largely lack the mental muscles for this.) > > At the bottom of the page is the status for the stable releases, which > didn't get a DSA due to being a minor issue. > > The recent update of glibc on core-updates included a fix for a similar > problem: > > https://security-tracker.debian.org/tracker/CVE-2017-15671 > > I suppose we can graft that too, but would prefer to just drop them. We > get the fixes when we merge core-updates in a few weeks anyway. I pushed this to core-updates, since I'd rather not re-graft everything on 'master'. The 2.26 package on core-updates have these fixes anyway. This particular patch author will do a lot more research on future glibc security issues... --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlpLrgMACgkQoqBt8qM6 VPoUoAgAq5K3QQCGm7ZybEnEx6sCHAhYjFx1Qr+TyyltWpFGBXnwoikRJSNCZp3D nnN4VY/lmDKEKWKaTD0r34v6DU2kxkSB0OiLcbB4B9wMZaikB/ubNqI8cJoEblIN 7q2oSBdTW7CS46FIRlX55lIkewClCurUkgtKU6VSpPWR5dAZH2/VrxkpbeJrRTkj 8PDEpo7mVuuWkwrgWk5K1ak7+kxlIEuuqgmkvre3ZAhAOEV5VRb7s/HOJ2W4D34S UyJwJFQW1kziBBJDefwoIBNF49WQR1tp2pdwbcjFA+66ZX/LR3Ih1rMMuoDQ7AtB aRWEi3mB8vGLQI+1eCD4eIMzcmcaHg== =0G35 -----END PGP SIGNATURE----- --=-=-=--