[pkg-go] Bug#921156: etcd: CVE-2018-1098 CVE-2018-1099
Moritz Mühlenhoff
jmm at inutil.org
Fri Feb 22 22:27:13 GMT 2019
severity 921156 important
thanks
On Tue, Feb 19, 2019 at 11:24:47PM -0600, Stephen Gelman wrote:
> On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout
> <arnaud.rebillout at collabora.com> wrote:
> > I looked into this a bit yesterday.
> >
> > As mentioned in the issue upstream at
> > https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in
> > the master branch of etcd in March 2018, almost a year ago. The
> > conversation also mentions that this will be part of the next release
> > v3.4. However v3.4 has not been released yet.
> >
> > And I don't think we want to package a random commit from the master
> > branch of etcd. So if we want to solve this bug simply by updating the
> > package, we'll have to wait for v3.4 to be released.
> >
> > The other alternative is to cherry-pick the patch.
> >
> > If I'm not mistaken, the fix can be found in this MR:
> > https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial
> > patch. It's unlikely that we can apply it without modification on the
> > etcd currently packaged in debian.
> >
> > I personally can't do that, as I know nothing about etcd anyway. I don't
> > know if someone feels up to the task, or have a better idea about how to
> > solve that.
> >
> > Cheers,
> >
> > Arnaud
>
> Since upstream still hasn't released a version that fixes the CVE is
> this still considered a RC bug? Obviously it's better to fix it asap
> but if upstream doesn't consider it critical I'm not sure this should
> be RC.
Let's downgrade and revisit when a fix has been backported to a 3.2.x
release.
Cheers,
Moritz
More information about the Pkg-go-maintainers
mailing list