m...@netris.org skribis: > I'll push this patch to core-updates as soon as I've tested it. > > https://sourceware.org/bugzilla/show_bug.cgi?id=17187 > https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 > http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html > > I'm not sure what we should do on 'master'. Thoughts?
Since it permits root privilege escalation, and there’s a documented example on how to do it, the general rule IMO should be that we should apply it. However, Hydra is currently in a bad state, esp. disk-space-wise, so I’m afraid this would prevent us from deploying the fix efficiently. :-/ So I’m inclined to just leave it on core-updates for now. WDYT? That said, perhaps now is a good time to write down rules on how to handle CVEs. Would you like to have a stab at it? Thanks, Ludo’.
