Bug#918841: systemd: CVE-2018-16864

Salvatore Bonaccorso carnil at debian.org
Thu Jan 10 05:14:07 GMT 2019


Hi Michael,

On Thu, Jan 10, 2019 at 01:41:17AM +0100, Michael Biebl wrote:
> On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: systemd
> > Version: 204-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Control: found -1 232-25+deb9u6
> > Control: found -1 240-2
> > 
> > Hi,
> > 
> > The following vulnerability was published for systemd.
> > 
> > CVE-2018-16864[0]:
> > memory corruption
> 
> 
> Should we mark old-stable as not affected given the remark that the
> vulnerability is exploitable since v230?
> 
> https://security-tracker.debian.org/tracker/CVE-2018-16864

I do not think so, not-affected would mean the issue is not present.
CVE-2018-16864 though is introduced in v203 itself (see the Qualys
report).  Maybe it needs to be discussed in the context of v215 if it
needs a corresponding update or not (that is no-dsa/ignored).

Regards,
Salvatore

p.s.: Note that Red Hat backported the CVE-2018-16864 fix to v219.



More information about the Pkg-systemd-maintainers mailing list