On Sun 2019-09-01 13:24:14 +0000, Dmitry Bogatov wrote: > Good. How urgent is fix? Can I just upload `dh-runit' into unstable and > eventually fix will propagate to affected packages, or I have to request > binNMU?
definitely start with a fix to unstable, but i don't know that it's
urgent to binNMU everything -- this is a defense in depth measure. it's
mainly relevant as a privilege escalation once someone has gained
arbitrary code execution as the runit-log user itself, i think, and i
don't know of any use of the runit-log user that is likely to be
vulnerable to arbitrary code execution. if you know of any, then yes,
archive-wide binNMUs are probably advisable.
--dkg
signature.asc
Description: PGP signature
