Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?

intrigeri intrigeri at debian.org
Sun Jan 13 09:46:26 GMT 2019


Hi!

In Tails we're shipping systemd/stretch-backports. We will freeze our
code base (and the APT repositories we use) on Jan 18 for our next
major release, so in the current state of things we would ship
239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've
started researching our options and I'm wondering:

What's your plan wrt. stretch-backports? 

I realize that with the serious regressions brought by v240 — that
I see upstream and you are quickly fixing, woohoo! — you might want to
let v240 mature a bit longer in testing/sid before backporting, so
I would understand if you're reluctant to upload 240-4 to
stretch-backports as soon as it migrates to testing.

But maybe you plan to upload 239-12~bpo9+2 with the fixes backported?

FWIW, on the Tails side I'll build a custom backport of 240-4 and will
run it through the Tails integration test suite, because we have other
incentives to upgrade (getting the fixes for
https://github.com/systemd/systemd/issues/9461) and I'd rather do this
upgrade now in a controlled, relaxed way, than at the last minute
before our freeze (if v240 is uploaded to stretch-backports on
Jan 17-18).

Thanks a *lot* for your amazing work on the systemd package!

Cheers,
-- 
intrigeri



More information about the Pkg-systemd-maintainers mailing list