Christian Hammers wrote:
> > > Does this justify a DSA? If so, can you register a CVE id?
> >
> > Sorry for the late reply. My intuition tells me that the transferred
> > privileges should be revoked, does the documentation indicate the same?
> > However, if the fix only consists of an option to disable MERGE completely
> > I don't think this solves the problem properly. If that's the case it
> > should rather be documented as being problematic, so that it can be
> > used appropriately.
>
> The online manual documents this security issue quite well but from the
> wording I guess that it has been updated while fixing the bug :)
> Debian never shipped that manual as it is not DFSG-clean.
> Oh and we only shipped 4.1.11, not 4.1.21.
>
> Given that upstream did not fix the problem cleanly and merge tables are
> rarely used I would also opt for not fixing the problem.
>
> Would make a DSA that only document a problem but not fix it make sense?
If it's an exotic feature and only documented online I guess we don't need
need that.
I've been tinkering with the idea of official Debian security errata, though.
We could use them for issues like this and documentation of vulnerabilities
we deem theoretical.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
