GNU bug report logs - #29490
[PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."

Previous Next

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 29490-done <at> debbugs.gnu.org
Subject: [bug#29490] [PATCH] Revert "gnu: glibc: Fix CVE-2017-15670, CVE-2017-15671."
Date: Tue, 02 Jan 2018 23:27:24 +0100

Heya,

Marius Bakke <mbakke <at> fastmail.com> skribis:

> Marius Bakke <mbakke <at> fastmail.com> writes:
>
>> Ludovic Courtès <ludo <at> gnu.org> writes:
>>
>>> Hello,
>>>
>>> Marius Bakke <mbakke <at> fastmail.com> skribis:
>>>
>>>> These issues has been classified as minor by Debian:
>>>>
>>>> https://security-tracker.debian.org/tracker/CVE-2017-15670
>>>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>>>
>>>> ...and is not worth the cost of grafting and maintaining this patch.
>>>
>>> I don’t see Debian’s classification as “minor”, but I see NVD severity
>>> “high” and “medium” (I personally fail to imagine concrete remote
>>> exploitation scenarios, but I largely lack the mental muscles for this.)
>>
>> At the bottom of the page is the status for the stable releases, which
>> didn't get a DSA due to being a minor issue.
>>
>> The recent update of glibc on core-updates included a fix for a similar
>> problem:
>>
>> https://security-tracker.debian.org/tracker/CVE-2017-15671
>>
>> I suppose we can graft that too, but would prefer to just drop them.  We
>> get the fixes when we merge core-updates in a few weeks anyway.
>
> I pushed this to core-updates, since I'd rather not re-graft everything
> on 'master'.  The 2.26 package on core-updates have these fixes anyway.

Great, thanks for keeping track of it.

> This particular patch author will do a lot more research on future glibc
> security issues...

Heheh.  :-)

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.