[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates
|
From: |
Kei Kebreau |
|
Subject: |
Re: [PATCH 0/1] Dbus update 1.10.12 for core-updates |
|
Date: |
Mon, 10 Oct 2016 14:10:24 -0400 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) |
Leo Famulari <address@hidden> writes:
> There's a format string vulnerability (with unknown impact) in our dbus:
>
> http://seclists.org/oss-sec/2016/q4/85
>
> Please read that message and the linked bug report.
>
> My understanding of the upsream analysis of the format string
> vulnerability is that only the bus owner can trigger it. So, if the
> vulnerability allows arbitrary code execution, it would mean that root
> could execute arbitrary code via the system bus... not a huge problem.
> But still undesirable.
>
> What do you think? Should we update this on core-updates? Should we
> graft it on master?
>
> Leo Famulari (1):
> gnu: dbus: Update to 1.10.12.
>
> gnu/packages/glib.scm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Excuse my ignorance, but when is a patch considered significant enough
to be updated on core-updates instead of master? Put another way, what
is the purpose of core-updates?
signature.asc
Description: PGP signature