Bug#839607: Robustify manager_dispatch_notify_fd()

Wolfgang Karall lists+debian-security at karall-edv.at
Mon Oct 3 13:33:04 BST 2016


Hello Michael,

On 16-10-03 12:11:48, Michael Biebl wrote:
> > https://security-tracker.debian.org/tracker/CVE-2016-7796 says all
> > but the version in sid are vulnerable to CVE-2016-7796 and reading
>
> No, sid is not vulnerable. It has been fixed in 231-9

I wrote 'all but the version in sid', English not being my mother tongue
this seemed to me the correct way to express exactly that, i.e. 'sid is
not vulnerable', but maybe I'm wrong.

> > https://github.com/systemd/systemd/issues/4234#issuecomment-250441246
> > 
> > this sounds still rather serious, so a security upload would be
> > appreciated.
> > 
> 
> This bugs is *not* about CVE-2016-7796 and as I wrote, stable is not
> affected by the crash.

You didn't write about which CVE the bug is (or maybe I missed that),
just that the 'news about systemd crashing when getting a zero sized
message on the notification socket made the rounds recently'.

> Are you a member of the security team?

No, I never said I am, but it seems you noticed your error or were
pointed to it.

And thanks to Florian and Salvatore for reading the same information
that I did and taking this seriously in a polite manner.

Cheers
Wolfgang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20161003/3fe6ec0f/attachment-0002.sig>


More information about the Pkg-systemd-maintainers mailing list