Summary: | sys-devel/patch-2.7.4 version bump, fixes directory traversal (CVE-2015-1196) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2015-02-01 11:57:04 UTC
+*patch-2.7.4 (01 Feb 2015) + + 01 Feb 2015; Lars Wendler <polynomial-c@gentoo.org> -patch-2.7.1-r3.ebuild, + -patch-2.7.2.ebuild, +patch-2.7.4.ebuild, + -files/patch-2.7.1-Fix-removing-empty-directories.patch, + -files/patch-2.7.1-dry-run-mode-create-temp-files-in-temp-dir.patch, + -files/patch-2.7.1-initialize_data_structures_early_enough.patch, + -files/patch-2.7.1-prevent_depend_on_autotools.patch: + Version bump (bug #538426). Removed old. + sorry for the noise, I'm confused here. The changelog posted above indicates that CVE-2015-1196 is fixed in 2.7.4. However CVE-2015-1196 is already handled in #536614 - however there it is indicated this is fixed in 2.7.3. Seems the upstream NEWS file is not really clear which issue was fixed in which version. Do we need fast-track stabilization of 2.7.4 for security reasons? (In reply to Hanno Boeck from comment #2) > sorry for the noise, I'm confused here. The changelog posted above indicates > that CVE-2015-1196 is fixed in 2.7.4. However CVE-2015-1196 is already > handled in #536614 - however there it is indicated this is fixed in 2.7.3. Yes, that's why I didn't tag this onto the security bug report. > Seems the upstream NEWS file is not really clear which issue was fixed in > which version. Do we need fast-track stabilization of 2.7.4 for security > reasons? Not if the other bug handles this. We could retroactively fix the NEWS file. :) |