On 2017-08-18 04:20 PM, Randy MacLeod wrote:
On 2017-08-16 07:34 AM, Jussi Kukkonen wrote:
On 16 August 2017 at 13:28, Chen Qi <qi.c...@windriver.com
<mailto:qi.c...@windriver.com>> wrote:
Backport a patch to fix CVE-2017-12424.
In shadow before 4.5, the newusers tool could be made to manipulate
internal data structures in ways unintended by the authors.
Reference link: https://nvd.nist.gov/vuln/detail/CVE-2017-12424
<https://nvd.nist.gov/vuln/detail/CVE-2017-12424>
CVE: CVE-2017-12424
I don't object to the patch but I'm wondering if there is a reason we
are taking the shadow sources from debian instead of the upstream
github*? shadow 4.5 seems to have been out for months already but
Debian hasn't taken it yet...
*) https://github.com/shadow-maint/shadow
Jussi
Good point. It's late in the release but maybe
not too late to update shadow.
Qi,
If you could give it a try and let us know if there are any
'gotchas' that would prevent or make the upgrade risky,
that would be great.
Turns out that Qi will only be able do this at the start of
the oe-core-2.5 development cycle.
../Randy
--
# Randy MacLeod. SMTS, Linux, Wind River
Direct: 613.963.1350 | 350 Terry Fox Drive, Suite 200, Ottawa, ON,
Canada, K2K 2W5
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
