GNU bug report logs -
#29490
[PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
Previous Next
Reported by: Marius Bakke <mbakke <at> fastmail.com>
Date: Tue, 28 Nov 2017 17:10:02 UTC
Severity: normal
Tags: patch
Done: Marius Bakke <mbakke <at> fastmail.com>
Bug is archived. No further changes may be made.
Full log
Message #16 received at 29490-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:
> Ludovic Courtès <ludo <at> gnu.org> writes:
>
>> Hello,
>>
>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>
>>> These issues has been classified as minor by Debian:
>>>
>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>
>>> ...and is not worth the cost of grafting and maintaining this patch.
>>
>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>> “high” and “medium” (I personally fail to imagine concrete remote
>> exploitation scenarios, but I largely lack the mental muscles for this.)
>
> At the bottom of the page is the status for the stable releases, which
> didn't get a DSA due to being a minor issue.
>
> The recent update of glibc on core-updates included a fix for a similar
> problem:
>
> https://security-tracker.debian.org/tracker/CVE-2017-15671
>
> I suppose we can graft that too, but would prefer to just drop them. We
> get the fixes when we merge core-updates in a few weeks anyway.
I pushed this to core-updates, since I'd rather not re-graft everything
on 'master'. The 2.26 package on core-updates have these fixes anyway.
This particular patch author will do a lot more research on future glibc
security issues...
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 144 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.