[Secure-testing-commits] r56270 - data/CVE
Moritz Muehlenhoff
jmm at moszumanska.debian.org
Sat Sep 30 09:02:07 UTC 2017
Author: jmm
Date: 2017-09-30 09:02:07 +0000 (Sat, 30 Sep 2017)
New Revision: 56270
Modified:
data/CVE/list
Log:
mark coreutils as ignored, see rationale in NOTEs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-09-30 08:50:37 UTC (rev 56269)
+++ data/CVE/list 2017-09-30 09:02:07 UTC (rev 56270)
@@ -64814,10 +64814,12 @@
NOTE: Upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 (v4.5-rc2)
CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows local users ...)
- coreutils <unfixed> (bug #816320)
- [stretch] - coreutils <no-dsa> (Minor issue)
- [jessie] - coreutils <no-dsa> (Minor issue)
+ [stretch] - coreutils <ignored> (Minor issue)
+ [jessie] - coreutils <ignored> (Minor issue)
[wheezy] - coreutils <no-dsa> (Minor issue)
- NOTE: Restricting ioctl on the kernel side seems the better approach
+ NOTE: Restricting ioctl on the kernel side seems the better approach, but rejected by Linux upstream
+ NOTE: Fixing this issue via setsid() would introduce regressions:
+ NOTE: https://www.kernel.org/pub/linux/utils/util-linux/v2.28/v2.28-ReleaseNotes
CVE-2016-2779 (runuser in util-linux allows local users to escape to the parent ...)
- util-linux <unfixed> (bug #815922)
[stretch] - util-linux <no-dsa> (Minor issue)
More information about the Secure-testing-commits
mailing list