[pkg-go] Bug#850951: Bug#850951: Bug#850951: CVE-2016-9962
Tianon Gravi
tianon at debian.org
Wed Feb 1 04:46:09 UTC 2017
On 30 January 2017 at 11:31, Salvatore Bonaccorso <carnil at debian.org> wrote:
> Disclaimer: I'm not too deep into that. I just noticed that
> https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to
> indicate as well 0.1.1 based version are affected. But I cannot tell
> more (at the moment).
Reading more into the vuln itself, I think ignoring the "stateDirFD"
bits of the upstream patch is appropriate (and simply adding the
"PR_SET_DUMPABLE" bit for "runc exec" as in
"libcontainer/nsenter/nsexec.c").
I'm preparing a patch for the package now, but I'm curious what the
implications of an upload will be so close to the freeze -- do we need
to request a freeze exception or a migration adjustment after the
updated package is up? Should I hold off on uploading? (would rather
not lose "runc" from stretch)
♥,
- Tianon
4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
More information about the Pkg-go-maintainers
mailing list