Hi,
On 17/10/2022 10:00, Helmut Grohne wrote:
On Wed, Oct 12, 2022 at 03:45:11PM +0200, Sylvain Beucler wrote:
I'll give it some testing on my buster system.
Thank you. I take the absense of a further reponse as "nothing broke".
Right, although I was kinda waiting for your input on other points
rather than answer to myself on this one :)
- a methodology point: if there's some uncertainty on CVE-2016-10228 (note:
which is a 2020 fix really), that neither secteam nor the maintainers
decided to fix in other Debian dists, maybe it's not worth the risk to fix
it in LTS.
I read your note that other distros (ubuntu, redhat) did so though,
contacting the maintainers could help evaluate the risk better.
Yeah. I'm fixing quite a number of issues that were not previously
considered. Even though these were non-trivial to fix, I believe that we
should fix them. Leaving them as is would mean that character conversion
involving untrusted inputs is not supported at all. Seems like a hard
sell, right?
Depends on the levels of risks involved (local CPU DoS vs. possible
regression), but again the maintainers would better know what to answer.
Cheers!
Sylvain Beucler
Debian LTS Team