| 1 |
(the first message I sent to hardened@g.o but I meant to send to |
| 2 |
the list, so resending) |
| 3 |
On 161025-10:11-0400, Anthony G. Basile wrote: |
| 4 |
> On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote: |
| 5 |
> > El 25/10/16 a las 12:56, Miroslav Rovis escribió: |
| 6 |
> >> Hi! |
| 7 |
> > Hi Miroslav! |
| 8 |
> >> Due to this bug: |
| 9 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=597554 |
| 10 |
> >> |
| 11 |
> >> I can't use the patched 4.7.9 of hardened sources. |
| 12 |
> >> |
| 13 |
> >> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched. |
| 14 |
> > I guess you are talking about CVE-2016–5195 here. Please correct me if |
| 15 |
> > mistaken. |
| 16 |
> >> I looked up the sources, but am not able to see for sure how to patch |
| 17 |
> >> 4.4.8-r1 myself. |
| 18 |
> >> |
| 19 |
> >> I have just rsynced my system and nothing new seems to have happened |
| 20 |
> >> with 4.4.8-r1 yet. |
| 21 |
> > If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This |
| 22 |
> > is quite standard Gentoo policy, if a package is modifed after |
| 23 |
> > publication (for example by backporting patches) the revision of the |
| 24 |
> > packet has to be increased so that users will be able to use these when |
| 25 |
> > updating. The only exceptions I know of are the -9999 packages for |
| 26 |
> > bleeding edge trunks and some very minor changes (think for example of a |
| 27 |
> > fix in the build system or a minor documentation fix) which a fix for |
| 28 |
> > CVE-2016–5195 clearly wouldn't be. |
| 29 |
> > |
| 30 |
> > You can read more on the Gentoo project revision policy for ebuilds at |
| 31 |
> > https://devmanual.gentoo.org/general-concepts/ebuild-revisions/ |
| 32 |
> >> Is thare patching needed for those stable hardened sources and will |
| 33 |
> >> there be a patch soon? |
| 34 |
> > According to |
| 35 |
> > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails |
| 36 |
> > CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched |
| 37 |
> > and is needed to protect against this issue, as for whether there will |
| 38 |
> > or not be a backported patch you should ask blueness but my guess is |
| 39 |
> > that there won't be one unless somebody provides such backported patch |
| 40 |
> > to blueness. |
| 41 |
> > |
| 42 |
> > I'm CCing the Gentoo Hardened user list as other users may be able to |
| 43 |
> > provide more and better input on this. |
| 44 |
> > |
| 45 |
> > Sincerely, |
| 46 |
> > Francisco Blas Izquierdo Riera (klondike) |
| 47 |
> > |
| 48 |
> |
| 49 |
> I'm testing 4.7.10 and will have it stabilized soon. |
| 50 |
> |
| 51 |
> -- |
| 52 |
> Anthony G. Basile, Ph.D. |
| 53 |
> Gentoo Linux Developer [Hardened] |
| 54 |
> E-Mail : blueness@g.o |
| 55 |
> GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 56 |
> GnuPG ID : F52D4BBA |
| 57 |
|
| 58 |
Professor Basile, |
| 59 |
|
| 60 |
it's always a privilege reading from you, but do you mean the bug: |
| 61 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=597554 |
| 62 |
will be fixed too? |
| 63 |
|
| 64 |
Regards! |
| 65 |
-- |
| 66 |
Miroslav Rovis |
| 67 |
Zagreb, Croatia |
| 68 |
http://www.CroatiaFidelis.hr |
Archives