[pkg-go] Bug#921156: etcd: CVE-2018-1098 CVE-2018-1099

Stephen Gelman ssgelm at debian.org
Wed Feb 20 05:24:47 GMT 2019


On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
<arnaud.rebillout at collabora.com> wrote:
> I looked into this a bit yesterday.
>
> As mentioned in the issue upstream at
> https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
> the master branch of etcd in March 2018, almost a year ago. The
> conversation also mentions that this will be part of the next release
> v3.4. However v3.4 has not been released yet.
>
> And I don't think we want to package a random commit from the master
> branch of etcd. So if we want to solve this bug simply by updating the
> package, we'll have to wait for v3.4 to be released.
>
> The other alternative is to cherry-pick the patch.
>
> If I'm not mistaken, the fix can be found in this MR:
> https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
> patch. It's unlikely that we can apply it without modification on the
> etcd currently packaged in debian.
>
> I personally can't do that, as I know nothing about etcd anyway. I don't
> know if someone feels up to the task, or have a better idea about how to
> solve that.
>
> Cheers,
>
>   Arnaud

Since upstream still hasn't released a version that fixes the CVE is
this still considered a RC bug?  Obviously it's better to fix it asap
but if upstream doesn't consider it critical I'm not sure this should
be RC.

Stephen



More information about the Pkg-go-maintainers mailing list