Hi Michael, On Thu, Jan 10, 2019 at 01:41:17AM +0100, Michael Biebl wrote: > On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: systemd > > Version: 204-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > Control: found -1 232-25+deb9u6 > > Control: found -1 240-2 > > > > Hi, > > > > The following vulnerability was published for systemd. > > > > CVE-2018-16864[0]: > > memory corruption > > > Should we mark old-stable as not affected given the remark that the > vulnerability is exploitable since v230? > > https://security-tracker.debian.org/tracker/CVE-2018-16864
I do not think so, not-affected would mean the issue is not present. CVE-2018-16864 though is introduced in v203 itself (see the Qualys report). Maybe it needs to be discussed in the context of v215 if it needs a corresponding update or not (that is no-dsa/ignored). Regards, Salvatore p.s.: Note that Red Hat backported the CVE-2018-16864 fix to v219.
