1 |
(the first message I sent to hardened@g.o but I meant to send to |
2 |
the list, so resending) |
3 |
On 161025-10:11-0400, Anthony G. Basile wrote: |
4 |
> On 10/25/16 10:10 AM, Francisco Blas Izquierdo Riera (klondike) wrote: |
5 |
> > El 25/10/16 a las 12:56, Miroslav Rovis escribió: |
6 |
> >> Hi! |
7 |
> > Hi Miroslav! |
8 |
> >> Due to this bug: |
9 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=597554 |
10 |
> >> |
11 |
> >> I can't use the patched 4.7.9 of hardened sources. |
12 |
> >> |
13 |
> >> hardened-sources-4.4.8-r1 do not appear to me to be mad COW patched. |
14 |
> > I guess you are talking about CVE-2016–5195 here. Please correct me if |
15 |
> > mistaken. |
16 |
> >> I looked up the sources, but am not able to see for sure how to patch |
17 |
> >> 4.4.8-r1 myself. |
18 |
> >> |
19 |
> >> I have just rsynced my system and nothing new seems to have happened |
20 |
> >> with 4.4.8-r1 yet. |
21 |
> > If 4.4.8 gets patched you will find a new revision (i.e. 4.4.8-r2). This |
22 |
> > is quite standard Gentoo policy, if a package is modifed after |
23 |
> > publication (for example by backporting patches) the revision of the |
24 |
> > packet has to be increased so that users will be able to use these when |
25 |
> > updating. The only exceptions I know of are the -9999 packages for |
26 |
> > bleeding edge trunks and some very minor changes (think for example of a |
27 |
> > fix in the build system or a minor documentation fix) which a fix for |
28 |
> > CVE-2016–5195 clearly wouldn't be. |
29 |
> > |
30 |
> > You can read more on the Gentoo project revision policy for ebuilds at |
31 |
> > https://devmanual.gentoo.org/general-concepts/ebuild-revisions/ |
32 |
> >> Is thare patching needed for those stable hardened sources and will |
33 |
> >> there be a patch soon? |
34 |
> > According to |
35 |
> > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails |
36 |
> > CVE-2016-5195 has been around since 2.6.22 so 4.4.8-r1 is not patched |
37 |
> > and is needed to protect against this issue, as for whether there will |
38 |
> > or not be a backported patch you should ask blueness but my guess is |
39 |
> > that there won't be one unless somebody provides such backported patch |
40 |
> > to blueness. |
41 |
> > |
42 |
> > I'm CCing the Gentoo Hardened user list as other users may be able to |
43 |
> > provide more and better input on this. |
44 |
> > |
45 |
> > Sincerely, |
46 |
> > Francisco Blas Izquierdo Riera (klondike) |
47 |
> > |
48 |
> |
49 |
> I'm testing 4.7.10 and will have it stabilized soon. |
50 |
> |
51 |
> -- |
52 |
> Anthony G. Basile, Ph.D. |
53 |
> Gentoo Linux Developer [Hardened] |
54 |
> E-Mail : blueness@g.o |
55 |
> GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
56 |
> GnuPG ID : F52D4BBA |
57 |
|
58 |
Professor Basile, |
59 |
|
60 |
it's always a privilege reading from you, but do you mean the bug: |
61 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=597554 |
62 |
will be fixed too? |
63 |
|
64 |
Regards! |
65 |
-- |
66 |
Miroslav Rovis |
67 |
Zagreb, Croatia |
68 |
http://www.CroatiaFidelis.hr |