Marius Bakke <mbakke@fastmail.com> writes:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello,
>>
>> Marius Bakke <mbakke@fastmail.com> skribis:
>>
>>> These issues has been classified as minor by Debian:
>>>
>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>
>>> ...and is not worth the cost of grafting and maintaining this patch.
>>
>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>> “high” and “medium” (I personally fail to imagine concrete remote
>> exploitation scenarios, but I largely lack the mental muscles for this.)
>
> At the bottom of the page is the status for the stable releases, which
> didn't get a DSA due to being a minor issue.
>
> The recent update of glibc on core-updates included a fix for a similar
> problem:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> I suppose we can graft that too, but would prefer to just drop them.  We
> get the fixes when we merge core-updates in a few weeks anyway.

I pushed this to core-updates, since I'd rather not re-graft everything
on 'master'.  The 2.26 package on core-updates have these fixes anyway.

This particular patch author will do a lot more research on future glibc
security issues...