On 09/26/2014 07:36 AM, Mohammad Yaqoob wrote: > When are you releasing 4.1.12-6 >
Today. It may be numbered 4.1.13-6, depending on what upstream does in the meantime (Chet has already prepared patch 13 [fixing a parser state leak], but not yet published it), but even without waiting for upstream, I'm already in the middle of building bash with the same patches in use by Fedora (which includes Chet's patch 13, but also an additional patch that Chet is still debating about [avoiding namespace collisions with function exports]), so as to plug CVE-2014-7169. I'm not sure yet if the build will include CVE-2014-7186 and CVE-2014-7187 fixes [both of them a parser buffer overflow], or if there will be a -7 next week. And given the high publicity of the initial CVE-2014-6271, I suspect there may be further fixes coming; needless to say I'm closely following the upstream developments. But I also stand by the Red Hat analysis - the worst exploits are those due to CVE-2014-6271, which is already fixed in 4.1.12-5; the remaining three CVEs are worth fixing, but do not have the same severity, so it is okay to wait a bit longer and get it right than it is to prematurely push something only have to repeat the exercise a day later. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
