El 25/10/16 a las 12:56, Miroslav Rovis escribió: > Hi! Hi Miroslav! > Due to this bug: > https://bugs.gentoo.org/show_bug.cgi?id=597554 > > I can't use the patched 4.7.9 of hardened sources. > > hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched. I guess you are talking about CVE-2016–5195 here. Please correct me if mistaken. > I looked up the sources, but am not able to see for sure how to patch > 4.4.8-r1 myself. > > I have just rsynced my system and nothing new seems to have happened > with 4.4.8-r1 yet. If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This is quite standard Gentoo policy, if a package is modifed after publication (for example by backporting patches) the revision of the packet has to be increased so that users will be able to use these when updating. The only exceptions I know of are the -9999 packages for bleeding edge trunks and some very minor changes (think for example of a fix in the build system or a minor documentation fix) which a fix for CVE-2016–5195 clearly wouldn't be.
You can read more on the Gentoo project revision policy for ebuilds at https://devmanual.gentoo.org/general-concepts/ebuild-revisions/ > Is thare patching needed for those stable hardened sources and will > there be a patch soon? According to https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched and is needed to protect against this issue, as for whether there will or not be a backported patch you should ask blueness but my guess is that there won't be one unless somebody provides such backported patch to blueness. I'm CCing the Gentoo Hardened user list as other users may be able to provide more and better input on this. Sincerely, Francisco Blas Izquierdo Riera (klondike)
signature.asc
Description: OpenPGP digital signature
