Re: CVE-2017-9525 in Debian Stretch stable release

To: Vladyslav Cherednychenko <vladyslav.cherednychenko@aboutyou.com>
Cc: debian-security@lists.debian.org
Subject: Re: CVE-2017-9525 in Debian Stretch stable release
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 16 Jul 2019 22:08:42 +0200
Message-id: <[🔎] 20190716200842.GA24089@eldamar.local>
Mail-followup-to: Vladyslav Cherednychenko <vladyslav.cherednychenko@aboutyou.com>, debian-security@lists.debian.org
In-reply-to: <[🔎] 1789BCBD-A8B2-4693-A7CC-C12FE181D7AB@aboutyou.com>
References: <[🔎] 1789BCBD-A8B2-4693-A7CC-C12FE181D7AB@aboutyou.com>

Hi,

On Thu, Jul 11, 2019 at 05:21:38PM +0200, Vladyslav Cherednychenko wrote:
> Dear Debian Security Team,
> I noticed that the latest available cron package in the stable
> distribution of Debian Stretch is vulnerable to CVE-2017-9525:
> https://security-tracker.debian.org/tracker/CVE-2017-9525
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864466
> 
> It seems like this issue has been known for a while now and fixed.
> Are there plans to include cron version 3.0pl1-129 to the stable
> release of Debian Stretch?

There are currently no plans to update the cron package to adress this
issue only. The issue is severity wise minor, and would not warrant a
DSA on its own. It can be fixed in a point release, but ideally
picking up other src:cron issues which are open for stretch in a point
release.

Regards,
Salvatore

Reply to:

References:
- CVE-2017-9525 in Debian Stretch stable release
  - From: Vladyslav Cherednychenko <vladyslav.cherednychenko@aboutyou.com>

Prev by Date: CVE-2017-9525 in Debian Stretch stable release
Next by Date: PGP/GnuPG unsecure, should be replaced?
Previous by thread: CVE-2017-9525 in Debian Stretch stable release
Next by thread: PGP/GnuPG unsecure, should be replaced?
Index(es):
- Date
- Thread