Bug#918841: systemd: CVE-2018-16864
Salvatore Bonaccorso
carnil at debian.org
Thu Jan 10 05:14:07 GMT 2019
Hi Michael,
On Thu, Jan 10, 2019 at 01:41:17AM +0100, Michael Biebl wrote:
> On Wed, 09 Jan 2019 21:08:51 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: systemd
> > Version: 204-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Control: found -1 232-25+deb9u6
> > Control: found -1 240-2
> >
> > Hi,
> >
> > The following vulnerability was published for systemd.
> >
> > CVE-2018-16864[0]:
> > memory corruption
>
>
> Should we mark old-stable as not affected given the remark that the
> vulnerability is exploitable since v230?
>
> https://security-tracker.debian.org/tracker/CVE-2018-16864
I do not think so, not-affected would mean the issue is not present.
CVE-2018-16864 though is introduced in v203 itself (see the Qualys
report). Maybe it needs to be discussed in the context of v215 if it
needs a corresponding update or not (that is no-dsa/ignored).
Regards,
Salvatore
p.s.: Note that Red Hat backported the CVE-2018-16864 fix to v219.
More information about the Pkg-systemd-maintainers
mailing list