Re: Should we be alarmed at our state of security support?

To: John Goerzen <jgoerzen@complete.org>
Cc: Thijs Kinkhorst <thijs@debian.org>, debian-security@lists.debian.org
Subject: Re: Should we be alarmed at our state of security support?
From: Florian Weimer <fw@deneb.enyo.de>
Date: Wed, 18 Feb 2015 23:19:57 +0100
Message-id: <[🔎] 873862n9pu.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 54E4E6ED.3090509@complete.org> (John Goerzen's message of "Wed, 18 Feb 2015 13:24:29 -0600")
References: <[🔎] 54E49DA6.7050306@complete.org> <[🔎] 31c7abb9d4b4dca916c455ecadbed574.squirrel@aphrodite.kinkhorst.nl> <[🔎] 54E4E6ED.3090509@complete.org>

* John Goerzen:

> Regarding the python2.6 one you were saying wasn't a big deal -- there's
> a proof of concept exploit for it
> https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
> .  Why would the tracker say that such a thing wasn't important enough
> to fix?

You need an application which uses recvfrom_into (I don't think we
ship any), and that application must handle the buffer size
incorrectly (i.e., it would generate an exception with the fixed
Python version).  This is why it's not so critical after all.

Reply to:

References:
- Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Should we be alarmed at our state of security support?
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: AUTO: Fredo Strüber is out of the office (Rückkehr am 19.02.2015)
Next by Date: Re: Missing tiff3 patch in security repo
Previous by thread: Re: Should we be alarmed at our state of security support?
Next by thread: Re: Should we be alarmed at our state of security support?
Index(es):
- Date
- Thread