[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] status of nvm.stripped
From: |
Markus Wanner |
Subject: |
Re: [Monotone-devel] status of nvm.stripped |
Date: |
Mon, 19 Jan 2009 10:50:34 +0100 |
User-agent: |
Mozilla-Thunderbird 2.0.0.17 (X11/20081018) |
Hi,
Thomas Moschny wrote:
> Zack Weinberg wrote:
>> I'd prefer not to drop the minimum version below the most recent point
>> at which an exploitable crasher bug was fixed, which (according to
>> pcre's NEWS file) was 7.6. There probably isn't an attack vector with
>> our usage but I can't prove it so I'd rather be safe.
>>
>> (Can you find out if FC9 backported those fixes?)
>
> The pcre package in F9 has a backported fix for CVE-2008-0674, and also
> a fix for the more recent CVE-2008-2371 problem.
Hm.. so.. what's the way to go here?
I'd propose leaving our own minimum requirement at 7.6 and advice to
Fedora 9 packagers to drop it to 7.3 on their own (simply by patching
pcrewrapper.hh).
Regards
Markus Wanner
- [Monotone-devel] status of nvm.stripped, Markus Wanner, 2009/01/18
- Re: [Monotone-devel] status of nvm.stripped, Stephen Leake, 2009/01/18
- Re: [Monotone-devel] status of nvm.stripped, Zack Weinberg, 2009/01/18
- Re: [Monotone-devel] status of nvm.stripped, Thomas Moschny, 2009/01/18
- Re: [Monotone-devel] status of nvm.stripped, Thomas Keller, 2009/01/18
- Re: [Monotone-devel] status of nvm.stripped, Markus Wanner, 2009/01/19
- Re: [Monotone-devel] status of nvm.stripped, Thomas Keller, 2009/01/20