On Fri, Oct 2, 2015 at 6:54 AM, Austin English <austinengl...@gmail.com> wrote: > On Oct 2, 2015 4:50 AM, "intrigeri" <intrig...@boum.org> wrote: >> >> Hi, >> >> Austin English wrote (07 Sep 2015 20:30:59 GMT) : >> > On Mon, Sep 7, 2015 at 3:25 PM, Austin English <austinengl...@gmail.com> >> > wrote: >> >> Rebasing it was trivial (the conflict was on adding the test to the >> >> Makefile). It looks like upstream has a bug (they don't actually run >> >> the tests), but that's fixed in this patch. >> >> > Small correction, their build system changed, upstream does not have a >> > bug in that regard. >> >> Thanks again for requesting a CVE ID about it. The CVE folks have >> analyzed this in depth and concluded it is a Tails vulnerability, not >> a wget one. So we got our first CVE ID, it seems: >> >> http://www.openwall.com/lists/oss-security/2015/10/01/10 >> >> ⇒ this won't get fixed via Debian security update, and we need to >> handle it on our side. >> >> Austin, given this, can you please give advice wrt. what's the easiest >> safe way to fix that problem in Tails? Can we do that on Tails/Wheezy >> with configuration only, or do we need to patch wget? Is it any >> different in Tails/Jessie, or with wget 1.16.3 that we could perhaps >> backport? >> >> (Sorry, I've no time/energy at the moment to re-read the entire thread >> and the one it links to.) >> >> Also, any idea if other FTP clients we ship (at least Tor Browser and >> Nautilus) are affected by this problem? >> >> I'd like to see tickets on our Redmine track the known problem, and >> the research about more potential ones. If you don't feel like >> creating these tickets, let me know and I'll do it. >> >> Cheers, >> -- >> intrigeri > > I'm on holiday for the next two weeks, so please create the tickets. > > Afaict, it requires patching wget. The fix backports cleanly, the tests > don't (I've manually backported that).
wget/CVE-2015-7665: https://labs.riseup.net/code/issues/10364 Investigate nautilus/Tor Browser: https://labs.riseup.net/code/issues/10365 -- -Austin _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.