From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Korsgaard Date: Fri, 11 Jan 2019 12:53:24 +0100 Subject: [Buildroot] [PATCH 1/1] package/systemd: add upstream fix for CVE-2018-16864 In-Reply-To: (James Hilliard's message of "Fri, 11 Jan 2019 04:48:19 -0700") References: <1547193242-29882-1-git-send-email-james.hilliard1@gmail.com> <87sgxzqxny.fsf@dell.be.48ers.dk> <87k1jbqvfv.fsf@dell.be.48ers.dk> <87fttzqux5.fsf@dell.be.48ers.dk> Message-ID: <87bm4nqukr.fsf@dell.be.48ers.dk> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net >>>>> "James" == James Hilliard writes: Hi, > On Fri, Jan 11, 2019 at 4:46 AM Peter Korsgaard wrote: >> >> >>>>> "James" == James Hilliard writes: >> >> Hi, >> >> >> >> What about CVE-2018-16865, E.G. commit 052c57f132f04a / ef4d6abe7c7fa? >> >> >> Do those not apply to 240? >> >> > So here https://www.qualys.com/2019/01/09/system-down/system-down.txt it says: >> >> > "CVE-2018-16865 was introduced in December 2011 (systemd v38) and became >> >> > exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced >> >> > in June 2015 (systemd v221) and was inadvertently fixed in August 2018." >> >> > So my assumption was that we didn't need patches for CVE-2018-16865 >> >> > since systemd 240 was released in Dec 2018. >> >> >> >> We don't need a fix for 16866, but we do need for 16865, right? >> > That is not entirely clear to me as there seems to be contradictory info. >> >> Sorry, what is unclear about "CVE-2018-16865 was introduced in December >> 2011 (systemd v38) and became exploitable in April 2013 (systemd v201)"? > The part that is unclear is that it supposedly "was inadvertently > fixed in August 2018". But that refers to 18666 and NOT 18665? -- Bye, Peter Korsgaard