On Tue, Jul 18, 2017 at 01:53:09PM -0400, Noah Meyerhans wrote:
> Control: tags -1 + pending patch
> 
> On Mon, Jul 10, 2017 at 11:18:35PM +0200, Moritz Muehlenhoff wrote:
> > 
> > Please see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396   
> > 
> 
> I believe that the attached debdiff, derived from NetBSD's fix, should
> address this problem. It should apply with only metadata modifications
> as far back as oldstable.
> 
> I'll upload to unstable as soon as I've satisfied myself that the update
> doesn't introduce any regressions. I don't believe there's a PoC for the
> attack, so I don't know that we'll be able to confirm definitively that
> the issue is resolved. If anybody has PoC code or is interested in
> putting some together, I'd be interested in testing the fix more
> thoroughly...
> 
> Uploads targeting (old)stable will follow shortly after unstable,
> assuming no issues.

It sure looks like that patch is not correct. Jiri Bohac from Novell
found that it introduced a regression that could lead to another DoS:

https://bugzilla.novell.com/show_bug.cgi?id=1047443#c1

This was added to the NetBSD bug, but no response yet.

I'll see if I can test this, but hold on to your uploads for now.

A.

Attachment: signature.asc
Description: PGP signature

Reply via email to