On Thu, Oct 21, 2010 at 03:43:59PM -0400, Michael Gilbert wrote: > On Thu, 21 Oct 2010 19:36:04 +0200, Aurelien Jarno wrote: > > On Mon, Oct 18, 2010 at 06:58:45PM -0400, Michael Gilbert wrote: > > > package: eglibc > > > version: 2.11.2-6 > > > severity: grave > > > tag: patch > > > > > > an issue has been disclosed in eglibc. see: > > > http://seclists.org/fulldisclosure/2010/Oct/257 > > > > > > patch available: > > > http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html > > > > > > > I have just committed the fix, I am planning to do an upload soon to > > unstable. Do you think we should also fix it in stable? via a security > > release? > > the exploitability of this issue is questionable, but i think it should > be fixed in a DSA just to be safe (based on the precautionary > principle). > > thanks for working on the fix. >
Ok, then I'll work on a stable upload after doing the unstable upload. Unfortunately I don't have a lot of time to spend on Debian currently. Also note that given the glibc is not built with -DNDEBUG on Debian, it seems it is not vulnerable. At least an assert is triggered when trying the exploit instead of becoming root. -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
