On Tue, Jul 18, 2017 at 01:53:09PM -0400, Noah Meyerhans wrote: > Control: tags -1 + pending patch > > On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote: > > > > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396 > > > > I believe that the attached debdiff, derived from NetBSD's fix, should > address this problem. It should apply with only metadata modifications > as far back as oldstable. > > I'll upload to unstable as soon as I've satisfied myself that the update > doesn't introduce any regressions. I don't believe there's a PoC for the > attack, so I don't know that we'll be able to confirm definitively that > the issue is resolved. If anybody has PoC code or is interested in > putting some together, I'd be interested in testing the fix more > thoroughly... > > Uploads targeting (old)stable will follow shortly after unstable, > assuming no issues.
It sure looks like that patch is not correct. Jiri Bohac from Novell found that it introduced a regression that could lead to another DoS: https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1 This was added to the NetBSD bug, but no response yet. I'll see if I can test this, but hold on to your uploads for now. A.
signature.asc
Description: PGP signature

