Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?

Michael Biebl biebl at debian.org
Sun Jan 13 15:45:35 GMT 2019


Am 13.01.19 um 10:46 schrieb intrigeri:
> Hi!
> 
> In Tails we're shipping systemd/stretch-backports. We will freeze our
> code base (and the APT repositories we use) on Jan 18 for our next
> major release, so in the current state of things we would ship
> 239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've
> started researching our options and I'm wondering:
> 
> What's your plan wrt. stretch-backports? 

I do think we nailed the worst regressions by now, so my plan was to
wait until 240-4 has migrated to testing and then upload that to
stretch-backports, for the simple reason that this means less effort for
me. If someone want's to backport the fixes to 239-12~bpo9+1, that would
obviously ok with me as well.

> FWIW, on the Tails side I'll build a custom backport of 240-4 and will
> run it through the Tails integration test suite, because we have other
> incentives to upgrade (getting the fixes for
> https://github.com/systemd/systemd/issues/9461) and I'd rather do this
> upgrade now in a controlled, relaxed way, than at the last minute
> before our freeze (if v240 is uploaded to stretch-backports on
> Jan 17-18).

Please let us know about the results of those tests.
If 240-4 fails horribly, we could revisit the decision to upload this
version to stretch-backports.

Regards,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190113/2f20a2b0/attachment.sig>


More information about the Pkg-systemd-maintainers mailing list