[pkg-go] Bug#850951: Bug#850951: Bug#850951: CVE-2016-9962

Tianon Gravi tianon at debian.org
Wed Feb 1 04:46:09 UTC 2017

On 30 January 2017 at 11:31, Salvatore Bonaccorso <carnil at debian.org> wrote:
> Disclaimer: I'm not too deep into that. I just noticed that
> https://bugzilla.novell.com/show_bug.cgi?id=1012568 though seem to
> indicate as well 0.1.1 based version are affected. But I cannot tell
> more (at the moment).

Reading more into the vuln itself, I think ignoring the "stateDirFD"
bits of the upstream patch is appropriate (and simply adding the
"PR_SET_DUMPABLE" bit for "runc exec" as in

I'm preparing a patch for the package now, but I'm curious what the
implications of an upload will be so close to the freeze -- do we need
to request a freeze exception or a migration adjustment after the
updated package is up?  Should I hold off on uploading?  (would rather
not lose "runc" from stretch)

- Tianon
  4096R / B42F 6819 007F 00F8 8E36  4FD4 036A 9C25 BF35 7DD4

More information about the Pkg-go-maintainers mailing list