On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote: > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote: > > All, > > > > these packages have been masked in the tree for months - years with no > > signs of fixes. > > > > I am particularly concerned about packages with known security > > vulnerabilities staying in the main tree masked. If people want to keep > > using those packages, I don't want to stop them, but packages like this > > should not be in the main tree. > > > > # Mask gentoo-sources ebuilds that are affected with security bug > > CVE-2014-3153. > > # > > # Pinkie Pie discovered an issue in the futex subsystem that allows a > > # local user to gain ring 0 control via the futex syscall. An > > # unprivileged user could use this flaw to crash the kernel (resulting > > # in denial of service) or for privilege escalation. > > # > > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153 > > =sys-kernel/gentoo-sources-3.2.58-r2 > > ~sys-kernel/gentoo-sources-3.4.90 > > =sys-kernel/gentoo-sources-3.4.91 > > ~sys-kernel/gentoo-sources-3.10.40 > > =sys-kernel/gentoo-sources-3.10.41 > > ~sys-kernel/gentoo-sources-3.12.20 > > =sys-kernel/gentoo-sources-3.12.21 > > ~sys-kernel/gentoo-sources-3.14.4 > > =sys-kernel/gentoo-sources-3.14.5
Mike, since you responded here, what do you think about this p.mask entry? Should we keep these in the tree? > > Hello, > > What's the feeling for how long a package.mask entry should stay in the > file in the event that a package can cause physical damage to a user's > system. > > For certain types of hardware, kernel 3.17.0 could cause some > filesystem corruption. Of couse, 3.17.0 is out of the tree but when is > it appropiate to say that a user has had enough time to upgarde their > systems and we can remove this entry? (qa hat off here, just a question) I'm a bit confused here. If you have a specific p.mask entry for 3.17.0 and 3.17.0 is out of the tree, isn't that p.mask entry invalid now? If so, go ahead and remove or adjust the entry. William
signature.asc
Description: Digital signature
