From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44218) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eWV2T-0004zx-I8 for guix-patches@gnu.org; Tue, 02 Jan 2018 17:28:06 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eWV2Q-0007pZ-73 for guix-patches@gnu.org; Tue, 02 Jan 2018 17:28:05 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:53117) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eWV2Q-0007pR-4J for guix-patches@gnu.org; Tue, 02 Jan 2018 17:28:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eWV2P-00011e-RQ for guix-patches@gnu.org; Tue, 02 Jan 2018 17:28:01 -0500 Subject: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671." Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20171128170937.31110-1-mbakke@fastmail.com> <87374pe8kk.fsf@gnu.org> <87zi6wydys.fsf@fastmail.com> <87po6s9rek.fsf@fastmail.com> Date: Tue, 02 Jan 2018 23:27:24 +0100 In-Reply-To: <87po6s9rek.fsf@fastmail.com> (Marius Bakke's message of "Tue, 02 Jan 2018 17:06:27 +0100") Message-ID: <87r2r7x5f7.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Marius Bakke Cc: 29490-done@debbugs.gnu.org Heya, Marius Bakke skribis: > Marius Bakke writes: > >> Ludovic Court=C3=A8s writes: >> >>> Hello, >>> >>> Marius Bakke skribis: >>> >>>> These issues has been classified as minor by Debian: >>>> >>>> https://security-tracker.debian.org/tracker/CVE-2017-15670 >>>> https://security-tracker.debian.org/tracker/CVE-2017-15671 >>>> >>>> ...and is not worth the cost of grafting and maintaining this patch. >>> >>> I don=E2=80=99t see Debian=E2=80=99s classification as =E2=80=9Cminor= =E2=80=9D, but I see NVD severity >>> =E2=80=9Chigh=E2=80=9D and =E2=80=9Cmedium=E2=80=9D (I personally fail = to imagine concrete remote >>> exploitation scenarios, but I largely lack the mental muscles for this.) >> >> At the bottom of the page is the status for the stable releases, which >> didn't get a DSA due to being a minor issue. >> >> The recent update of glibc on core-updates included a fix for a similar >> problem: >> >> https://security-tracker.debian.org/tracker/CVE-2017-15671 >> >> I suppose we can graft that too, but would prefer to just drop them. We >> get the fixes when we merge core-updates in a few weeks anyway. > > I pushed this to core-updates, since I'd rather not re-graft everything > on 'master'. The 2.26 package on core-updates have these fixes anyway. Great, thanks for keeping track of it. > This particular patch author will do a lot more research on future glibc > security issues... Heheh. :-) Ludo=E2=80=99.