On Tue, 12 Feb 2019 09:32:48 +0700 Arnaud Rebillout <arnaud.rebill...@collabora.com> wrote: > I looked into this a bit yesterday. > > As mentioned in the issue upstream at > https://github.com/etcd-io/etcd/issues/9353, the fix has been merged in > the master branch of etcd in March 2018, almost a year ago. The > conversation also mentions that this will be part of the next release > v3.4. However v3.4 has not been released yet. > > And I don't think we want to package a random commit from the master > branch of etcd. So if we want to solve this bug simply by updating the > package, we'll have to wait for v3.4 to be released. > > The other alternative is to cherry-pick the patch. > > If I'm not mistaken, the fix can be found in this MR: > https://github.com/etcd-io/etcd/pull/9372/files. It's not a trivial > patch. It's unlikely that we can apply it without modification on the > etcd currently packaged in debian. > > I personally can't do that, as I know nothing about etcd anyway. I don't > know if someone feels up to the task, or have a better idea about how to > solve that. > > Cheers, > > Arnaud
Since upstream still hasn't released a version that fixes the CVE is this still considered a RC bug? Obviously it's better to fix it asap but if upstream doesn't consider it critical I'm not sure this should be RC. Stephen