GNU bug report logs - #29490
[PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."

Previous Next

Package: guix-patches;

Reported by: Marius Bakke <mbakke <at> fastmail.com>

Date: Tue, 28 Nov 2017 17:10:02 UTC

Severity: normal

Tags: patch

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

Full log

Message #11 received at 29490 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 29490 <at> debbugs.gnu.org
Subject: Re: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670,
 CVE-2017-15671."
Date: Wed, 06 Dec 2017 00:03:39 +0100

[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hello,
>
> Marius Bakke <mbakke <at> fastmail.com> skribis:
>
>> These issues has been classified as minor by Debian:
>>
>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>
>> ...and is not worth the cost of grafting and maintaining this patch.
>
> I don’t see Debian’s classification as “minor”, but I see NVD severity
> “high” and “medium” (I personally fail to imagine concrete remote
> exploitation scenarios, but I largely lack the mental muscles for this.)

At the bottom of the page is the status for the stable releases, which
didn't get a DSA due to being a minor issue.

The recent update of glibc on core-updates included a fix for a similar
problem:

https://security-tracker.debian.org/tracker/CVE-2017-15671

I suppose we can graft that too, but would prefer to just drop them.  We
get the fixes when we merge core-updates in a few weeks anyway.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 144 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.