Bug#848704: marked as done (CVE-2016-4973)

Sun, 21 Jan 2018 14:21:27 -0800 

Your message dated Sun, 21 Jan 2018 23:18:53 +0100
with message-id <[email protected]>
and subject line Re: Bug#848704: CVE-2016-4973
has caused the Debian Bug report #848704,
regarding CVE-2016-4973
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
848704: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848704
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: gcc-mingw-w64
Severity: important
Tags: security

This has been assigned CVE-2016-4973:
https://bugzilla.redhat.com/show_bug.cgi?id=1324759

Cheers,
        Moritz

--- End Message ---
--- Begin Message --- 
On Mon, 26 Dec 2016 11:31:57 +0100, Moritz Mühlenhoff <[email protected]> wrote:
> On Mon, Dec 19, 2016 at 07:01:41PM +0100, Stephen Kitt wrote:
> > On Mon, 19 Dec 2016 18:48:06 +0100, Moritz Mühlenhoff <[email protected]>
> > wrote:  
> > > This has been assigned CVE-2016-4973:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1324759  
> > 
> > This doesn't really seem to be going anywhere, is it really worth spending
> > time on? GCC upstream disagrees that it's an issue. I'd already tried the
> > patch attached to the bug linked above, and it doesn't work.  
> 
> I mostly filed it for completeness to have the status tracked in the BTS.
> 
> From my point of view it's not a vulnerability and should not have a
> CVE ID assigned, it's ultimately just a missing security hardening
> feature.
> 
> I'm fine with simply closing it, but it's your maintainer's call.

Circling back to this, I agree, and nothing ever came of the various bugs
opened elsewhere in relation to this CVE (except in newlib which isn’t
particularly relevant here). It would be nice if SSP was supported properly,
but it’s not a security issue as far as I’m concerned. So I’m closing the
bug.

Regards,

Stephen

Attachment: pgppHuldQ9LKG.pgp
Description: OpenPGP digital signature


--- End Message ---

Reply via email to