On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote: > All, > > these packages have been masked in the tree for months - years with no > signs of fixes. > > I am particularly concerned about packages with known security > vulnerabilities staying in the main tree masked. If people want to keep > using those packages, I don't want to stop them, but packages like this > should not be in the main tree. > > # Mask gentoo-sources ebuilds that are affected with security bug > CVE-2014-3153. > # > # Pinkie Pie discovered an issue in the futex subsystem that allows a > # local user to gain ring 0 control via the futex syscall. An > # unprivileged user could use this flaw to crash the kernel (resulting > # in denial of service) or for privilege escalation. > # > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153 > =sys-kernel/gentoo-sources-3.2.58-r2 > ~sys-kernel/gentoo-sources-3.4.90 > =sys-kernel/gentoo-sources-3.4.91 > ~sys-kernel/gentoo-sources-3.10.40 > =sys-kernel/gentoo-sources-3.10.41 > ~sys-kernel/gentoo-sources-3.12.20 > =sys-kernel/gentoo-sources-3.12.21 > ~sys-kernel/gentoo-sources-3.14.4 > =sys-kernel/gentoo-sources-3.14.5
Hello, What's the feeling for how long a package.mask entry should stay in the file in the event that a package can cause physical damage to a user's system. For certain types of hardware, kernel 3.17.0 could cause some filesystem corruption. Of couse, 3.17.0 is out of the tree but when is it appropiate to say that a user has had enough time to upgarde their systems and we can remove this entry? Mike -- Mike Pagano Gentoo Developer - Kernel Project Gentoo Sources - Lead E-Mail : mpag...@gentoo.org GnuPG FP : EEE2 601D 0763 B60F 848C 9E14 3C33 C650 B576 E4E3 Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index
