(the first message I sent to harde...@gentoo.org but I meant to send to the list, so resending) On 161025-10:11-0400, Anthony G. Basile wrote: > On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote: > > El 25/10/16 a las 12:56, Miroslav Rovis escribió: > >> Hi! > > Hi Miroslav! > >> Due to this bug: > >> https://bugs.gentoo.org/show_bug.cgi?id=597554 > >> > >> I can't use the patched 4.7.9 of hardened sources. > >> > >> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched. > > I guess you are talking about CVE-2016–5195 here. Please correct me if > > mistaken. > >> I looked up the sources, but am not able to see for sure how to patch > >> 4.4.8-r1 myself. > >> > >> I have just rsynced my system and nothing new seems to have happened > >> with 4.4.8-r1 yet. > > If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This > > is quite standard Gentoo policy, if a package is modifed after > > publication (for example by backporting patches) the revision of the > > packet has to be increased so that users will be able to use these when > > updating. The only exceptions I know of are the -9999 packages for > > bleeding edge trunks and some very minor changes (think for example of a > > fix in the build system or a minor documentation fix) which a fix for > > CVE-2016–5195 clearly wouldn't be. > > > > You can read more on the Gentoo project revision policy for ebuilds at > > https://devmanual.gentoo.org/general-concepts/ebuild-revisions/ > >> Is thare patching needed for those stable hardened sources and will > >> there be a patch soon? > > According to > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails > > CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched > > and is needed to protect against this issue, as for whether there will > > or not be a backported patch you should ask blueness but my guess is > > that there won't be one unless somebody provides such backported patch > > to blueness. > > > > I'm CCing the Gentoo Hardened user list as other users may be able to > > provide more and better input on this. > > > > Sincerely, > > Francisco Blas Izquierdo Riera (klondike) > > > > I'm testing 4.7.10 and will have it stabilized soon. > > -- > Anthony G. Basile, Ph.D. > Gentoo Linux Developer [Hardened] > E-Mail : bluen...@gentoo.org > GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA > GnuPG ID : F52D4BBA
Professor Basile, it's always a privilege reading from you, but do you mean the bug: > >> https://bugs.gentoo.org/show_bug.cgi?id=597554 will be fixed too? Regards! -- Miroslav Rovis Zagreb, Croatia http://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature
